@cognite/cli 1.2.0 → 1.3.1

package/LICENSE.md

@@ -0,0 +1,6 @@
+Commercial Software Licence Agreement
+
+Copyright (c) Cognite AS 2026
+
+See Master Subscription and Professional Services Agreement for details:
+https://www.cognite.com/en/company/legal/master-subscription-services-agreement-2025

package/_templates/app/new/root/AGENTS.md.ejs.t

@@ -28,11 +28,63 @@ Always check `@cognite/aura/components` before reaching for a raw HTML element o
 
 ---
 
-## 2. Dependency Injection
+## 2. Host integration (`@cognite/app-sdk`)
 
-Inject dependencies via React context (hooks/components) or factory-override pattern (plain functions). Never hard-code dependencies.
+The Fusion host exposes a `HostAppAPI` (imported as `HostAppAPI` from `@cognite/app-sdk`) via `connectToHostApp(...)`. Reach for it whenever the situation calls for it — don't hand-roll an equivalent or read browser globals directly.
 
-### React context
+### Decision rule for any new piece of state
+
+Before adding `useState`, `useReducer`, or a store entry, ask: **"would a user expect this to survive a page reload, or to be restored when someone opens a shared link?"** If yes, it belongs in `syncInternalState` + `initialState`, **not** in plain React state.
+
+- **Yes, host-synced:** current page / active view / route, selected tab, active filters, selected resource id, search query, sort order, expanded rows, focused row, side-panel open/closed — anything that drives what the user sees.
+- **No, local-only:** in-flight form input before submit, hover/focus, transient toasts, animation state, optimistic UI mid-flight.
+
+When in doubt, host-synced is the safer default — over-syncing is cheap, under-syncing breaks reload and share.
+
+### API surface
+
+- **Host-synced UI state** → on startup, seed your state from the `initialState` string returned by `connectToHostApp`. On every change, call `api.syncInternalState(JSON.stringify(state))`. The host serializes this into the URL so reloads and shared links restore the same state. **Do not** hold state from the "host-synced" category above in plain `useState` / `useRef` / a local store.
+- **Navigating elsewhere in Fusion** (another app, a Fusion route) → `api.navigateInternal({ path, queryParams, hash })`. Never set `window.location` directly.
+- **Navigating to an external URL** → `api.navigateExternal({ url, openInNewTab })`. Only `https:` is allowed.
+- **Needing a CDF base URL or access token** for API requests → `api.getBaseUrl()` / `api.getAccessToken()`. Never hardcode the cluster URL.
+- **Needing the current CDF project name** → `api.getProject()`. Don't read it from config or URL params.
+- **Exposing the app's capabilities to a Fusion agent** → register a custom agent server with `api.registerAgentServer(handle)` and clean up on unmount with `api.unregisterAgentServer(uri)`.
+
+Get `api` once at app startup and surface it to the rest of the app via React context so view models can depend on it through the patterns below.
+
+### Round-trip example: host-synced state
+
+```typescript
+import { connectToHostApp, type HostAppAPI } from '@cognite/app-sdk';
+
+type AppState = { page: 'a' | 'b'; filters: string[] };
+const DEFAULT_STATE: AppState = { page: 'a', filters: [] };
+
+// On startup — seed from initialState, not from a hardcoded default.
+const { api, initialState } = await connectToHostApp({ applicationName: '<%= name %>' });
+const seeded: AppState = initialState ? (JSON.parse(initialState) as AppState) : DEFAULT_STATE;
+
+// On every change — push the new state to the host so the URL stays in sync.
+async function updateState(next: AppState, api: HostAppAPI) {
+  setState(next); // your local React/store setter
+  await api.syncInternalState(JSON.stringify(next));
+}
+```
+
+`initialState` is the JSON string the host extracted from the URL on this load — the host owns the URL plumbing, the app just reads/writes the string.
+
+---
+
+## 3. Dependency Injection
+
+**All non-stateless dependencies must be injected.** Never import and call a service, SDK client, or stateful module directly inside a component or hook — it makes the code untestable and tightly coupled.
+
+What to inject: SDK clients, API services, analytics, timers (`Date.now`, `setTimeout`), random generators, external stores.
+What not to inject: pure functions, constants, type utilities.
+
+Use **narrow interfaces** — depend only on the subset of a service you actually need.
+
+### React context (hooks and components)
 
 ```typescript
 const defaultDeps = { useDataSource, useAnalytics };
@@ -44,7 +96,7 @@ export function useMyHook() {
 }
 ```
 
-### Factory overrides
+### Factory overrides (plain functions)
 
 ```typescript
 type Deps = { serviceFactory: () => SomeService };
@@ -57,7 +109,7 @@ export const doWork = async (props: Props, overrides?: Partial<Deps>) => {
 
 ---
 
-## 3. Interface-Based Services
+## 4. Interface-Based Services
 
 Define an interface; implement with a class. Never reference the concrete class outside its own file.
 
@@ -74,7 +126,7 @@ export class ApiDataService implements DataService {
 
 ---
 
-## 4. ViewModel Pattern
+## 5. ViewModel Pattern
 
 Business logic lives in `use<Name>ViewModel`. Components only render.
 
@@ -95,9 +147,26 @@ export const TodoView = () => {
 };
 ```
 
+### Where state lives
+
+A ViewModel hook must **not** hold state with `useState` / `useReducer` directly. State lives in a shared storage layer — a context-backed hook (like `useTodoStorage` above), a store, or a `*StateProvider` rendered once near the root of the view tree. The ViewModel composes that storage with commands and derivations; it is itself stateless.
+
+This matters because each call to a `useState`-backed hook creates an **independent** piece of React state. Two components calling the same ViewModel hook would each get their own copy and never sync.
+
+> ⚠️ Anti-pattern: `useState` inside `useFooViewModel`, then two sibling components each call `useFooViewModel()`. Clicks update one copy; the other renders stale data.
+
+### How many times to call a ViewModel hook
+
+- **Backed by shared context / store** → multiple components may call the hook; they all observe the same value. This is the default for non-trivial views.
+- **Not backed by shared state** → call the hook **once** at the top of the view tree and pass values down as props. Never call it twice and expect them to stay in sync.
+
+### Host-synced state inside a ViewModel
+
+When a ViewModel exposes state that falls under §2's "host-synced" category, the **ViewModel** — not the view component — is responsible for seeding from `initialState` and pushing changes via `syncInternalState`. The state itself still lives in the shared storage layer described above; the ViewModel just owns the read/write contract with the host.
+
 ---
 
-## 5. Test-First Development
+## 6. Test-First Development
 
 Write tests before implementation for all non-trivial behavior changes.
 
@@ -193,21 +262,41 @@ Place reusable factories in `src/__mocks__/`. Use `.test` TLD for fake URLs (RFC
 
 ---
 
-## 6. TypeScript Rules
+## 7. TypeScript Rules
 
 - Never use `any`; prefer `unknown` or explicit strong types
-- Never use `as unknown as T`; for partial test doubles use `{ ...defaults, ...overrides } as T`
+- Never use `as` casts — they silence the compiler without providing safety. Use type guards instead.
+- Exception: `Partial<T> as T` is acceptable for test mocks only.
+- All function parameters must have type annotations.
 - Use direct React type imports: `import type { ComponentType, ReactNode } from 'react'`
 
 ```typescript
-function createMockWindow(overrides: Partial<Window> = {}): Window {
-  return { postMessage: vi.fn(), ...overrides } as Window;
+// ❌ Never
+const x: any = data;
+const y = data as SomeType;
+const z = {} as unknown as Window;
+function process(data) { ... }         // missing parameter type
+
+// ✅ Type guard
+function isSomeType(value: unknown): value is SomeType {
+  return typeof value === 'object' && value !== null && 'id' in value;
 }
+if (isSomeType(data)) { /* TypeScript now knows */ }
+
+// ✅ Test mock only
+const mock = { postMessage: vi.fn() } as Partial<Window> as Window;
 ```
 
 ---
 
-## 7. Commits and pull requests
+## 8. CogniteClient / authentication
+
+Auth is handled by `CogniteSdkProvider` from `@cognite/app-sdk/react` (see `App.tsx`). Nested components get the client via `useCogniteSdk()`. To wire up or migrate auth, run the `/setup-flows-auth` skill.
+
+---
+
+
+## 9. Commits and pull requests
 
 Use [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/).
 

package/_templates/app/new/root/package.json.ejs.t

@@ -27,7 +27,7 @@ to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>package.json'
   "dependencies": {
     "@cognite/aura": "^0.1.7",
     "@cognite/sdk": "^10.3.0",
-    "@cognite/app-sdk": "^0.4.0",
+    "@cognite/app-sdk": "^0.5.1",
     "@tabler/icons-react": "^3.35.0",
     "@tanstack/react-query": "^5.90.10",
     "clsx": "^2.1.1",

package/_templates/app/new/src/App.test.tsx.ejs.t

@@ -1,13 +1,45 @@
 ---
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>src/App.test.tsx'
 ---
-import * as appSdk from '@cognite/app-sdk';
 import { render, screen, waitFor } from '@testing-library/react';
 import { beforeEach, describe, expect, it, vi } from 'vitest';
+import type { HostAppAPI, ConnectToHostAppResult } from '@cognite/app-sdk';
+import { CogniteClient } from '@cognite/sdk';
+import type { ComponentProps } from 'react';
 
 import App from './App';
 
-vi.mock(import('@cognite/app-sdk'));
+type AppDeps = NonNullable<ComponentProps<typeof App>['deps']>;
+
+function makeApi(): HostAppAPI {
+  return {
+    getProject: vi.fn<HostAppAPI['getProject']>(() => Promise.resolve('<%= project %>')),
+    getBaseUrl: vi.fn<HostAppAPI['getBaseUrl']>(() => Promise.resolve('https://cognite.test')),
+    getAccessToken: vi.fn<HostAppAPI['getAccessToken']>(() => Promise.resolve('test-token')),
+    getAppId: vi.fn<HostAppAPI['getAppId']>(() => Promise.resolve('test-app-id')),
+    syncInternalState: vi.fn<HostAppAPI['syncInternalState']>(() => Promise.resolve(true)),
+    navigateInternal: vi.fn<HostAppAPI['navigateInternal']>(() => Promise.resolve(true)),
+    navigateExternal: vi.fn<HostAppAPI['navigateExternal']>(() => Promise.resolve(true)),
+    registerAgentServer: vi.fn<HostAppAPI['registerAgentServer']>(() => Promise.resolve()),
+    unregisterAgentServer: vi.fn<HostAppAPI['unregisterAgentServer']>(() => Promise.resolve()),
+    sendAgentLayoutMode: vi.fn<HostAppAPI['sendAgentLayoutMode']>(() => Promise.resolve()),
+    sendAgentMessage: vi.fn<HostAppAPI['sendAgentMessage']>(() => Promise.resolve()),
+  };
+}
+
+function makeLoadingDeps(): AppDeps {
+  return {
+    connectToHostApp: vi.fn<AppDeps['connectToHostApp']>(() => new Promise<ConnectToHostAppResult>(() => undefined)),
+    createClient: vi.fn<AppDeps['createClient']>((config) => new CogniteClient(config)),
+  };
+}
+
+function makeConnectedDeps(): AppDeps {
+  return {
+    connectToHostApp: vi.fn<AppDeps['connectToHostApp']>(() => Promise.resolve({ api: makeApi() })),
+    createClient: vi.fn<AppDeps['createClient']>((config) => new CogniteClient(config)),
+  };
+}
 
 describe('App', () => {
   beforeEach(() => {
@@ -15,19 +47,13 @@ describe('App', () => {
   });
 
   it('renders loading state', () => {
-    vi.mocked(appSdk.connectToHostApp).mockReturnValue(new Promise(() => {}));
-
-    render(<App />);
+    render(<App deps={makeLoadingDeps()} />);
     expect(screen.getByText('Loading project...')).toBeInTheDocument();
   });
 
   it('renders splash with deployment targets and checklist copy', async () => {
-    vi.mocked(appSdk.connectToHostApp).mockResolvedValue({
-      api: { getProject: vi.fn().mockResolvedValue('my-test-project') } as Partial<appSdk.HostAppAPI> as appSdk.HostAppAPI,
-    });
-
-    render(<App />);
-    await waitFor(() => expect(screen.getByText('Welcome to Flows')).toBeInTheDocument());
+    render(<App deps={makeConnectedDeps()} />);
+    await waitFor(() => expect(screen.getByText('Welcome to Flows custom apps')).toBeInTheDocument());
     expect(screen.getByText('App deployment checklist')).toBeInTheDocument();
     expect(screen.getByText('Plan')).toBeInTheDocument();
     expect(screen.getByText('Explore')).toBeInTheDocument();

package/_templates/app/new/src/App.tsx.ejs.t

@@ -1,7 +1,8 @@
 ---
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>src/App.tsx'
 ---
-import { connectToHostApp } from '@cognite/app-sdk';
+import type { ComponentProps } from 'react';
+import { CogniteSdkProvider, useCogniteSdk } from '@cognite/app-sdk/react';
 import {
   Alert,
   AlertDescription,
@@ -18,7 +19,6 @@ import {
   Separator,
 } from '@cognite/aura/components';
 import { IconCaretUpDown, IconRocket } from '@tabler/icons-react';
-import { useEffect, useState } from 'react';
 
 import appConfig from '../app.json';
 
@@ -62,71 +62,41 @@ const CHECKLIST_STEPS = [
   },
 ] as const;
 
-function App() {
-  // Connect to the Fusion host via @cognite/app-sdk. The handshake is
-  // asynchronous — `project` is only populated after Comlink finishes
-  // exposing the host API, so we render a loader until then.
-  const [project, setProject] = useState<string | null>(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState<string | undefined>();
-
-  useEffect(() => {
-    let cancelled = false;
-    connectToHostApp({ applicationName: '<%= name %>' })
-      .then(async ({ api }) => {
-        if (cancelled) return;
-        const proj = await api.getProject();
-        if (cancelled) return;
-        setProject(proj);
-      })
-      .catch((err: unknown) => {
-        if (cancelled) return;
-        setError(err instanceof Error ? err.message : String(err));
-      })
-      .finally(() => {
-        if (!cancelled) setIsLoading(false);
-      });
-    return () => {
-      cancelled = true;
-    };
-  }, []);
-
-  if (isLoading) {
-    return (
-      <main className="min-h-screen bg-muted/50 text-foreground">
-        <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
-          <div className="mx-auto w-full max-w-sm">
-            <Card aria-label="Loading project" aria-live="polite">
-              <CardContent>
-                <div className="inline-flex items-center gap-3 text-muted-foreground">
-                  <Loader size={20} />
-                  <span>Loading project...</span>
-                </div>
-              </CardContent>
-            </Card>
-          </div>
-        </section>
-      </main>
-    );
-  }
-
-  if (error) {
-    return (
-      <main className="min-h-screen bg-muted/50 text-foreground">
-        <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
-          <div className="mx-auto w-full max-w-sm">
-            <Alert>
-              <AlertDescription>Failed to connect to Fusion host: {error}</AlertDescription>
-            </Alert>
-          </div>
-        </section>
-      </main>
-    );
-  }
+const loadingFallback = (
+  <main className="min-h-screen bg-muted/50 text-foreground">
+    <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
+      <div className="mx-auto w-full max-w-sm">
+        <Card aria-label="Loading project" aria-live="polite">
+          <CardContent>
+            <div className="inline-flex items-center gap-3 text-muted-foreground">
+              <Loader size={20} />
+              <span>Loading project...</span>
+            </div>
+          </CardContent>
+        </Card>
+      </div>
+    </section>
+  </main>
+);
+
+const errorFallback = (
+  <main className="min-h-screen bg-muted/50 text-foreground">
+    <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
+      <div className="mx-auto w-full max-w-sm">
+        <Alert>
+          <AlertDescription>Failed to connect to Fusion host</AlertDescription>
+        </Alert>
+      </div>
+    </section>
+  </main>
+);
+
+function AppContent() {
+  const client = useCogniteSdk();
 
   const deployment = appConfig.deployments?.[0];
   const orgLabel = deployment?.org ?? '';
-  const projectLabel = deployment?.project ?? project ?? '';
+  const projectLabel = deployment?.project ?? client.project ?? '';
 
   return (
     <main className="min-h-screen bg-muted/50 text-foreground">
@@ -230,4 +200,16 @@ function App() {
   );
 }
 
+type AppProps = {
+  deps?: ComponentProps<typeof CogniteSdkProvider>['deps'];
+};
+
+function App({ deps }: AppProps) {
+  return (
+    <CogniteSdkProvider loadingFallback={loadingFallback} errorFallback={errorFallback} deps={deps}>
+      <AppContent />
+    </CogniteSdkProvider>
+  );
+}
+
 export default App;

package/dist/{chunk-PT2DTNGD.js → chunk-QOJVLP7E.js}

@@ -1,9 +1,9 @@
-var W=Object.defineProperty;var s=(e,t)=>W(e,"name",{value:t,configurable:!0});import Y from"fs";import gt from"path";var N="https://docs.cognite.com/cdf/access/";function m(e){return e!==null&&typeof e=="object"}s(m,"isRecord");function S(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}s(S,"isHttpError");function Z(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${N}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${N}`;default:return}}s(Z,"httpStatusHint");function A(e){let t=e instanceof Error?e:new Error(String(e));if(!S(t))return null;let n=Z(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}s(A,"enrichedHttpError");function X(e){if(!m(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(m(n)){let r=n.error;if(m(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}s(X,"findMissingArray");function Q(e,t){if(!S(e)||e.status!==400)return!1;let n=X(e);return n?n.some(r=>m(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(Q,"isMissingExternalIdError");function $(e,t){return S(e)&&e.status===404||Q(e,t)}s($,"isNotFoundError");var M=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],J=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};s(I,"AppVersionNotFoundError");var V=I;function q(e,t){return e.includes(t)}s(q,"includesValue");function tt(e){return q(M,e)}s(tt,"isAppVersionLifecycleState");function et(e){return q(J,e)}s(et,"isAppVersionAlias");function nt(e){return typeof e.version=="string"&&tt(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||et(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}s(nt,"isAppVersion");function H(e){if(!m(e))throw new Error("Invalid version response: not an object");if(!nt(e))throw new Error("Invalid version response: missing or malformed fields");return e}s(H,"parseAppVersion");var T=class T{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(o){throw A(o)??o}}async uploadVersion(t,n,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",n),a.append("entryPath",i);let l=encodeURIComponent(t),c=`${this.appsBasePath}/${l}/versions`,p=await this.client.authenticate(),g=`${this.client.getBaseUrl()}${c}`,u=new AbortController,G=setTimeout(()=>u.abort(),300*1e3),h;try{h=await fetch(g,{method:"POST",headers:{Authorization:`Bearer ${p}`},body:a,signal:u.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(G)}if(!h.ok){let f=await h.text(),k=f;try{let x=JSON.parse(f);if(m(x)){let w=x.error;if(typeof w=="string")k=w;else if(m(w)){let E=w.message,F=w.code;k=typeof E=="string"?E:F!=null?`Unknown error (code: ${F})`:f}else{let E=x.message;k=typeof E=="string"?E:f}}}catch{}let j=h.headers.get("x-request-id"),K=j?` | X-Request-ID: ${j}`:"",B=Object.assign(new Error(`Upload failed: ${h.status} \u2014 ${k}${K}`),{status:h.status});throw A(B)??B}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),o=encodeURIComponent(n),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return H(a.data)}catch(a){throw $(a,[t,n])?new V(t,n):A(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let o=await this.client.get(r);return H(o.data)}catch(o){if($(o,[t]))return null;throw A(o)??o}}async updateVersions(t,n){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:n}})}catch(i){throw A(i)??i}}};s(T,"AppHostingApi");var v=T;var b=class b{constructor(t){this.api=new v(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,o,i){return this.api.uploadVersion(t,n,r,o,i)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(S(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,n,r,o,i,a,l=!1){console.log(`
+var W=Object.defineProperty;var s=(e,t)=>W(e,"name",{value:t,configurable:!0});import Y from"fs";import gt from"path";var F="https://docs.cognite.com/cdf/access/";function m(e){return e!==null&&typeof e=="object"}s(m,"isRecord");function P(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}s(P,"isHttpError");function Z(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${F}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${F}`;default:return}}s(Z,"httpStatusHint");function A(e){let t=e instanceof Error?e:new Error(String(e));if(!P(t))return null;let n=Z(t.status);return n?Object.assign(new Error(`${t.message}
+  ${n}`),{cause:t}):null}s(A,"enrichedHttpError");function X(e){if(!m(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(m(n)){let r=n.error;if(m(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}s(X,"findMissingArray");function Q(e,t){if(!P(e)||e.status!==400)return!1;let n=X(e);return n?n.some(r=>m(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(Q,"isMissingExternalIdError");function $(e,t){return P(e)&&e.status===404||Q(e,t)}s($,"isNotFoundError");var M=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],J=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};s(I,"AppVersionNotFoundError");var k=I;function q(e,t){return e.includes(t)}s(q,"includesValue");function tt(e){return q(M,e)}s(tt,"isAppVersionLifecycleState");function et(e){return q(J,e)}s(et,"isAppVersionAlias");function nt(e){return typeof e.version=="string"&&tt(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||et(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}s(nt,"isAppVersion");function H(e){if(!m(e))throw new Error("Invalid version response: not an object");if(!nt(e))throw new Error("Invalid version response: missing or malformed fields");return e}s(H,"parseAppVersion");var T=class T{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(o){throw A(o)??o}}async uploadVersion(t,n,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",n),a.append("entryPath",i);let l=encodeURIComponent(t),c=`${this.appsBasePath}/${l}/versions`,p=await this.client.authenticate(),g=`${this.client.getBaseUrl()}${c}`,u=new AbortController,G=setTimeout(()=>u.abort(),300*1e3),h;try{h=await fetch(g,{method:"POST",headers:{Authorization:`Bearer ${p}`},body:a,signal:u.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(G)}if(!h.ok){let f=await h.text(),V=f;try{let x=JSON.parse(f);if(m(x)){let w=x.error;if(typeof w=="string")V=w;else if(m(w)){let E=w.message,B=w.code;V=typeof E=="string"?E:B!=null?`Unknown error (code: ${B})`:f}else{let E=x.message;V=typeof E=="string"?E:f}}}catch{}let j=h.headers.get("x-request-id"),K=j?` | X-Request-ID: ${j}`:"",N=Object.assign(new Error(`Upload failed: ${h.status} \u2014 ${V}${K}`),{status:h.status});throw A(N)??N}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),o=encodeURIComponent(n),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return H(a.data)}catch(a){throw $(a,[t,n])?new k(t,n):A(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let o=await this.client.get(r);return H(o.data)}catch(o){if($(o,[t]))return null;throw A(o)??o}}async updateVersions(t,n){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:n}})}catch(i){throw A(i)??i}}};s(T,"AppHostingApi");var v=T;var b=class b{constructor(t){this.api=new v(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,o,i){return this.api.uploadVersion(t,n,r,o,i)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(P(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,n,r,o,i,a,l=!1){console.log(`
 \u{1F680} Deploying application via App Hosting API...
 `);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,o,i,a),l&&await this.publishAndActivate(t,o),console.log(`
-\u2705 Deployment successful!`)}catch(c){let p=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${p}`),{cause:c})}}};s(b,"AppHostingClient");var P=b;import y from"fs";import d from"path";import{parseAndValidateManifestConfig as rt}from"@cognite/app-sdk/vite";import{BlobReader as ot,Uint8ArrayWriter as st,ZipWriter as it}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",z="manifest.json",_=".cognite",L=class L{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!y.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!y.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=d.join(this.appRoot,D);if(!y.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new it(new st,{level:9}),o=s(async(c,p)=>{await r.add(p,new ot(await y.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${p}`)},"addFile"),i=s(async c=>{let p=await y.promises.readdir(c,{withFileTypes:!0});for(let g of p){let u=d.join(c,g.name);g.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let c=d.join(this.appRoot,R);await o(c,d.posix.join(_,R));let p=d.join(this.appRoot,z);if(y.existsSync(p)){let u=y.readFileSync(p,"utf-8");rt(u,p),await o(p,d.posix.join(_,z))}let g=d.join(this.appRoot,D);await o(g,d.posix.join(_,D)),a=await r.close()}catch(c){let p=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${p}`)}await y.promises.writeFile(t,a);let l=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${l} MB)`),t}};s(L,"ApplicationPackager");var C=L;import{CogniteClient as ut}from"@cognite/sdk";var at=s(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");n[i]=o}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),ct=s(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=at()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),pt=s(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),lt=s(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+\u2705 Deployment successful!`)}catch(c){let p=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${p}`),{cause:c})}}};s(b,"AppHostingClient");var S=b;import y from"fs";import d from"path";import{parseAndValidateManifestConfig as rt}from"@cognite/app-sdk/vite";import{BlobReader as ot,Uint8ArrayWriter as st,ZipWriter as it}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",z="manifest.json",_=".cognite",L=class L{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!y.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!y.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=d.join(this.appRoot,D);if(!y.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new it(new st,{level:9}),o=s(async(c,p)=>{await r.add(p,new ot(await y.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${p}`)},"addFile"),i=s(async c=>{let p=await y.promises.readdir(c,{withFileTypes:!0});for(let g of p){let u=d.join(c,g.name);g.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let c=d.join(this.appRoot,R);await o(c,d.posix.join(_,R));let p=d.join(this.appRoot,z);if(y.existsSync(p)){let u=y.readFileSync(p,"utf-8");rt(u,p),await o(p,d.posix.join(_,z))}let g=d.join(this.appRoot,D);await o(g,d.posix.join(_,D)),a=await r.close()}catch(c){let p=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${p}`)}await y.promises.writeFile(t,a);let l=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${l} MB)`),t}};s(L,"ApplicationPackager");var C=L;import{CogniteClient as ut}from"@cognite/sdk";var at=s(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");n[i]=o}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),ct=s(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=at()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),pt=s(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),lt=s(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
 ${i}`)}let o=await r.json();if(!o.access_token)throw new Error("No access token returned from CDF authentication");return o.access_token},"getTokenCdf"),dt=s(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let o=pt(r);if(!o)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let i=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${o}.cognitedata.com/.default`,l=await fetch(i,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!l.ok){let p=await l.text();throw new Error(`Failed to get token from Entra ID: ${l.status} ${l.statusText}
-${p}`)}let c=await l.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),O=s(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=e,l=ct(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return dt(n,l,i,a)}return lt(n,l)},"getToken");async function U(e,t,n=process.env,r){let o=await O(e,n),i=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(l=>new ut(l)))({appId:t,project:e.project,baseUrl:i,oidcTokenProvider:s(async()=>o,"oidcTokenProvider")});return await a.authenticate(),a}s(U,"getSdk");var ft=s(async(e,t,n)=>{let r=await new C(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:o,name:i,description:a,versionTag:l}=t,c=await U(e,n),p=new P(c),g=Y.readFileSync(r),u=gt.basename(r);await p.deploy(o,i,a,l,g,u,e.published)}finally{try{Y.unlinkSync(r)}catch{}}},"deploy");export{P as a,C as b,O as c,U as d,ft as e};
+${p}`)}let c=await l.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),O=s(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=e,l=ct(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return dt(n,l,i,a)}return lt(n,l)},"getToken");async function U(e,t,n=process.env,r){let o=await O(e,n),i=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(l=>new ut(l)))({appId:t,project:e.project,baseUrl:i,oidcTokenProvider:s(async()=>o,"oidcTokenProvider")});return await a.authenticate(),a}s(U,"getSdk");var ft=s(async(e,t,n)=>{let r=await new C(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:o,name:i,description:a,versionTag:l}=t,c=await U(e,n),p=new S(c),g=Y.readFileSync(r),u=gt.basename(r);await p.deploy(o,i,a,l,g,u,e.published)}finally{try{Y.unlinkSync(r)}catch{}}},"deploy");export{S as a,C as b,O as c,U as d,ft as e};

package/dist/cli/cli.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
-import{a as o,e as Be}from"../chunk-A5ASLC6T.js";import{writeSync as Yi}from"fs";import{Command as Ji}from"commander";var Ye="https://docs.cognite.com/cdf/access/";function k(e){return e!==null&&typeof e=="object"}o(k,"isRecord");function B(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(B,"isHttpError");function Ln(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${Ye}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${Ye}`;default:return}}o(Ln,"httpStatusHint");function V(e){let t=e instanceof Error?e:new Error(String(e));if(!B(t))return null;let n=Ln(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}o(V,"enrichedHttpError");function Nn(e){if(!k(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(k(n)){let r=n.error;if(k(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Nn,"findMissingArray");function Kn(e,t){if(!B(e)||e.status!==400)return!1;let n=Nn(e);return n?n.some(r=>k(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(Kn,"isMissingExternalIdError");function le(e,t){return B(e)&&e.status===404||Kn(e,t)}o(le,"isNotFoundError");var Xe=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],ze=["ACTIVE","PREVIEW"],me=class me extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o(me,"AppVersionNotFoundError");var E=me;function We(e,t){return e.includes(t)}o(We,"includesValue");function jn(e){return We(Xe,e)}o(jn,"isAppVersionLifecycleState");function Mn(e){return We(ze,e)}o(Mn,"isAppVersionAlias");function Vn(e){return typeof e.version=="string"&&jn(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||Mn(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(Vn,"isAppVersion");function Je(e){if(!k(e))throw new Error("Invalid version response: not an object");if(!Vn(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(Je,"parseAppVersion");var de=class de{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw V(i)??i}}async uploadVersion(t,n,r,i,s="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),i),a.append("version",n),a.append("entryPath",s);let c=encodeURIComponent(t),p=`${this.appsBasePath}/${c}/versions`,l=await this.client.authenticate(),m=`${this.client.getBaseUrl()}${p}`,d=new AbortController,u=setTimeout(()=>d.abort(),300*1e3),f;try{f=await fetch(m,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:a,signal:d.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(u)}if(!f.ok){let g=await f.text(),b=g;try{let _=JSON.parse(g);if(k(_)){let x=_.error;if(typeof x=="string")b=x;else if(k(x)){let A=x.message,y=x.code;b=typeof A=="string"?A:y!=null?`Unknown error (code: ${y})`:g}else{let A=_.message;b=typeof A=="string"?A:g}}}catch{}let v=f.headers.get("x-request-id"),Z=v?` | X-Request-ID: ${v}`:"",M=Object.assign(new Error(`Upload failed: ${f.status} \u2014 ${b}${Z}`),{status:f.status});throw V(M)??M}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),s=`${this.appsBasePath}/${r}/versions/${i}`;try{let a=await this.client.get(s);return Je(a.data)}catch(a){throw le(a,[t,n])?new E(t,n):V(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return Je(i.data)}catch(i){if(le(i,[t]))return null;throw V(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(s){throw V(s)??s}}};o(de,"AppHostingApi");var ee=de;var ue=class ue{constructor(t){this.api=new ee(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,s){return this.api.uploadVersion(t,n,r,i,s)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(B(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,s,a,c=!1){console.log(`
+import{a as o,e as qe}from"../chunk-A5ASLC6T.js";import{writeSync as is}from"fs";import{Command as ss}from"commander";var Qe="https://docs.cognite.com/cdf/access/";function _(e){return e!==null&&typeof e=="object"}o(_,"isRecord");function X(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(X,"isHttpError");function Bn(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${Qe}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${Qe}`;default:return}}o(Bn,"httpStatusHint");function B(e){let t=e instanceof Error?e:new Error(String(e));if(!X(t))return null;let n=Bn(t.status);return n?Object.assign(new Error(`${t.message}
+  ${n}`),{cause:t}):null}o(B,"enrichedHttpError");function Yn(e){if(!_(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(_(n)){let r=n.error;if(_(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Yn,"findMissingArray");function Jn(e,t){if(!X(e)||e.status!==400)return!1;let n=Yn(e);return n?n.some(r=>_(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(Jn,"isMissingExternalIdError");function ye(e,t){return X(e)&&e.status===404||Jn(e,t)}o(ye,"isNotFoundError");var et=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],tt=["ACTIVE","PREVIEW"],he=class he extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o(he,"AppVersionNotFoundError");var k=he;function nt(e,t){return e.includes(t)}o(nt,"includesValue");function zn(e){return nt(et,e)}o(zn,"isAppVersionLifecycleState");function Xn(e){return nt(tt,e)}o(Xn,"isAppVersionAlias");function Wn(e){return typeof e.version=="string"&&zn(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||Xn(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(Wn,"isAppVersion");function Ze(e){if(!_(e))throw new Error("Invalid version response: not an object");if(!Wn(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(Ze,"parseAppVersion");var Ce=class Ce{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw B(i)??i}}async uploadVersion(t,n,r,i,a="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let s=new FormData;s.append("file",new Blob([new Uint8Array(r)]),i),s.append("version",n),s.append("entryPath",a);let p=encodeURIComponent(t),c=`${this.appsBasePath}/${p}/versions`,l=await this.client.authenticate(),m=`${this.client.getBaseUrl()}${c}`,d=new AbortController,u=setTimeout(()=>d.abort(),300*1e3),C;try{C=await fetch(m,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:s,signal:d.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(u)}if(!C.ok){let g=await C.text(),E=g;try{let A=JSON.parse(g);if(_(A)){let P=A.error;if(typeof P=="string")E=P;else if(_(P)){let x=P.message,f=P.code;E=typeof x=="string"?x:f!=null?`Unknown error (code: ${f})`:g}else{let x=A.message;E=typeof x=="string"?x:g}}}catch{}let S=C.headers.get("x-request-id"),y=S?` | X-Request-ID: ${S}`:"",R=Object.assign(new Error(`Upload failed: ${C.status} \u2014 ${E}${y}`),{status:C.status});throw B(R)??R}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),a=`${this.appsBasePath}/${r}/versions/${i}`;try{let s=await this.client.get(a);return Ze(s.data)}catch(s){throw ye(s,[t,n])?new k(t,n):B(s)??s}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return Ze(i.data)}catch(i){if(ye(i,[t]))return null;throw B(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(a){throw B(a)??a}}};o(Ce,"AppHostingApi");var se=Ce;var we=class we{constructor(t){this.api=new se(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,a){return this.api.uploadVersion(t,n,r,i,a)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(X(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,a,s,p=!1){console.log(`
 \u{1F680} Deploying application via App Hosting API...
-`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,s,a),c&&await this.publishAndActivate(t,i),console.log(`
-\u2705 Deployment successful!`)}catch(p){let l=p instanceof Error?p.message:String(p);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:p})}}};o(ue,"AppHostingClient");var h=ue;import{existsSync as Zn,readFileSync as er}from"fs";import{resolve as tr}from"path";import{array as Hn,boolean as Gn,check as qe,forward as Qe,literal as Bn,maxLength as Yn,minLength as Jn,nonEmpty as H,object as Ze,optional as U,picklist as Xn,pipe as D,safeParse as zn,string as S,url as Wn}from"valibot";var ge=D(S(),H("must not be empty")),fe=D(S(),H("must not be empty"),Yn(256,"must be 256 characters or fewer")),ye=D(S(),H("must not be empty"),Wn("must be a valid URL")),he=D(S(),H("must not be empty")),we=D(S(),H("must not be empty")),qn=D(Ze({org:he,project:we,baseUrl:ye,deployClientId:U(S(),""),deploySecretName:U(S(),""),published:U(Gn(),!1),idpType:U(Xn(["cdf","entra_id"]),"cdf"),tenantId:U(S())}),Qe(qe(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),Qe(qe(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),Qn=Ze({name:ge,externalId:fe,versionTag:D(S(),H("must not be empty")),description:U(S(),""),deployments:D(Hn(qn),Jn(1,"must contain at least one deployment")),infra:U(Bn("appsApi"))});function Ce(e){let t=zn(Qn,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(s=>s.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(Ce,"validateAppConfig");function C(e,t={}){let{validator:n=Ce,existsSync:r=Zn,readFileSync:i=er}=t,s=tr(e,"app.json");if(!r(s))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let a=i(s,"utf-8"),c;try{c=JSON.parse(a)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(c)}o(C,"loadAppConfig");import{CogniteClient as br}from"@cognite/sdk";import{CogniteClient as ar}from"@cognite/sdk";var nr=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let s=r.toLowerCase().replace(/_/g,"-");n[s]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),rr=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=nr()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),or=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),ir=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let s=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
-${s}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),sr=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=or(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let s=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${i}.cognitedata.com/.default`,c=await fetch(s,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!c.ok){let l=await c.text();throw new Error(`Failed to get token from Entra ID: ${c.status} ${c.statusText}
-${l}`)}let p=await c.json();if(!p.access_token)throw new Error("No access token returned from Entra ID authentication");return p.access_token},"getTokenEntra"),Ee=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:s,baseUrl:a}=e,c=rr(r);if(i==="entra_id"){if(!s)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return sr(n,c,s,a)}return ir(n,c)},"getToken");async function Y(e,t,n=process.env,r){let i=await Ee(e,n),s=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(c=>new ar(c)))({appId:t,project:e.project,baseUrl:s,oidcTokenProvider:o(async()=>i,"oidcTokenProvider")});return await a.authenticate(),a}o(Y,"getSdk");import gr from"os";import fr from"path";import yr from"open";import{buildAuthorizationUrl as hr,calculatePKCECodeChallenge as wr,discovery as Cr,None as Er,randomPKCECodeVerifier as Sr,randomState as vr}from"openid-client";import cr from"https";import{authorizationCodeGrant as pr}from"openid-client";function et(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(et,"escapeHtml");function Se(e,t,n){let r=et(t),i=et(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
+`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,a,s),p&&await this.publishAndActivate(t,i),console.log(`
+\u2705 Deployment successful!`)}catch(c){let l=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:c})}}};o(we,"AppHostingClient");var h=we;import{existsSync as ar,readFileSync as pr}from"fs";import{resolve as cr}from"path";import{array as qn,boolean as Qn,check as rt,forward as ot,literal as Zn,maxLength as er,minLength as tr,nonEmpty as Y,object as it,optional as M,picklist as nr,pipe as U,safeParse as rr,string as D,url as or}from"valibot";var ve=U(D(),Y("must not be empty")),Ee=U(D(),Y("must not be empty"),er(256,"must be 256 characters or fewer")),Se=U(D(),Y("must not be empty"),or("must be a valid URL")),Pe=U(D(),Y("must not be empty")),xe=U(D(),Y("must not be empty")),ir=U(it({org:Pe,project:xe,baseUrl:Se,deployClientId:M(D(),""),deploySecretName:M(D(),""),published:M(Qn(),!1),idpType:M(nr(["cdf","entra_id"]),"cdf"),tenantId:M(D())}),ot(rt(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),ot(rt(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),sr=it({name:ve,externalId:Ee,versionTag:U(D(),Y("must not be empty")),description:M(D(),""),deployments:U(qn(ir),tr(1,"must contain at least one deployment")),infra:M(Zn("appsApi"))});function be(e){let t=rr(sr,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(a=>a.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(be,"validateAppConfig");function w(e,t={}){let{validator:n=be,existsSync:r=ar,readFileSync:i=pr}=t,a=cr(e,"app.json");if(!r(a))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let s=i(a,"utf-8"),p;try{p=JSON.parse(s)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(p)}o(w,"loadAppConfig");import{CogniteClient as Or}from"@cognite/sdk";import{CogniteClient as fr}from"@cognite/sdk";var lr=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let a=r.toLowerCase().replace(/_/g,"-");n[a]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),mr=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=lr()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),dr=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),ur=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let a=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+${a}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),gr=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=dr(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let a=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,s=`https://${i}.cognitedata.com/.default`,p=await fetch(a,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:s,grant_type:"client_credentials"})});if(!p.ok){let l=await p.text();throw new Error(`Failed to get token from Entra ID: ${p.status} ${p.statusText}
+${l}`)}let c=await p.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),Ae=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:a,baseUrl:s}=e,p=mr(r);if(i==="entra_id"){if(!a)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return gr(n,p,a,s)}return ur(n,p)},"getToken");async function W(e,t,n=process.env,r){let i=await Ae(e,n),a=n.COGNITE_BASE_URL??e.baseUrl,s=(r??(p=>new fr(p)))({appId:t,project:e.project,baseUrl:a,oidcTokenProvider:o(async()=>i,"oidcTokenProvider")});return await s.authenticate(),s}o(W,"getSdk");import Sr from"os";import Pr from"path";import xr from"open";import{buildAuthorizationUrl as br,calculatePKCECodeChallenge as Ar,discovery as kr,None as Dr,randomPKCECodeVerifier as Ir,randomState as $r}from"openid-client";import yr from"https";import{authorizationCodeGrant as hr}from"openid-client";function st(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(st,"escapeHtml");function ke(e,t,n){let r=st(t),i=st(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
     <h1>${r}</h1><p>${i}</p><p>You can close this window.</p>${e==="success"?`<style>
       @keyframes checkmark {
         0% { transform: scale(0); }
@@ -16,40 +16,40 @@ ${l}`)}let p=await c.json();if(!p.access_token)throw new Error("No access token
       }
       h1 { animation: checkmark 0.5s ease-out; }
     </style>`:""}
-  </body></html>`}o(Se,"generateHtml");async function lr(e,t,n,r,i,s){let a=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(a.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let c=await s.authorizationCodeGrant(n,a,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(Se("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:c}}catch(c){let p=c instanceof Error?c:new Error(String(c));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(Se("error","Authentication Error",p.message)),{shouldClose:!0,error:p}}}o(lr,"handleCallback");function mr(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(mr,"formatTimeoutMinutes");function tt(e,t,n,r,i,s={createServer:cr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:pr}){return new Promise((a,c)=>{let p,l=s.setTimeout(()=>{p?.close(),c(new Error(`Login timeout - no response received within ${mr(e.loginTimeout)}`))},e.loginTimeout);p=s.createServer(t,async(m,d)=>{try{let u=await lr(m,d,n,r,i,s);u.shouldClose&&(s.clearTimeout(l),p?.close(),u.error?c(u.error):u.tokens?a(u.tokens):c(new Error("No tokens received")))}catch(u){s.clearTimeout(l),p?.close(),c(u instanceof Error?u:new Error(String(u)))}}),p.on("error",m=>{s.clearTimeout(l),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),c(m)}),p.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(tt,"startCallbackServer");import{execFileSync as dr}from"child_process";import ve from"fs";import nt from"path";function rt(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(rt,"loadCertificates");function ur(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),rt(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
+  </body></html>`}o(ke,"generateHtml");async function Cr(e,t,n,r,i,a){let s=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(s.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let p=await a.authorizationCodeGrant(n,s,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(ke("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:p}}catch(p){let c=p instanceof Error?p:new Error(String(p));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(ke("error","Authentication Error",c.message)),{shouldClose:!0,error:c}}}o(Cr,"handleCallback");function wr(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(wr,"formatTimeoutMinutes");function at(e,t,n,r,i,a={createServer:yr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:hr}){return new Promise((s,p)=>{let c,l=a.setTimeout(()=>{c?.close(),p(new Error(`Login timeout - no response received within ${wr(e.loginTimeout)}`))},e.loginTimeout);c=a.createServer(t,async(m,d)=>{try{let u=await Cr(m,d,n,r,i,a);u.shouldClose&&(a.clearTimeout(l),c?.close(),u.error?p(u.error):u.tokens?s(u.tokens):p(new Error("No tokens received")))}catch(u){a.clearTimeout(l),c?.close(),p(u instanceof Error?u:new Error(String(u)))}}),c.on("error",m=>{a.clearTimeout(l),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),p(m)}),c.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(at,"startCallbackServer");import{execFileSync as vr}from"child_process";import De from"fs";import pt from"path";function ct(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(ct,"loadCertificates");function Er(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),ct(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
   On macOS: openssl is pre-installed
   On Linux: sudo apt-get install openssl
-  On Windows: Install OpenSSL or use WSL`)}}o(ur,"generateCertificate");function ot(e,t={existsSync:ve.existsSync,readFileSync:o(n=>ve.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{ve.mkdirSync(n,r)},"mkdirSync"),execFileSync:dr}){let n=nt.join(e,"localhost-key.pem"),r=nt.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?rt(n,r,t):ur(e,n,r,t)}o(ot,"getOrCreateCertificates");var xr={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:fr.join(gr.homedir(),".cdf-login")},Pr={open:yr,getOrCreateCertificates:ot,startCallbackServer:tt,discovery:Cr,buildAuthorizationUrl:hr,randomPKCECodeVerifier:Sr,calculatePKCECodeChallenge:wr,randomState:vr,logger:console};async function st(e,t=xr,n){return n===void 0?it(e,t,Pr):it(e,t,n)}o(st,"login");async function it(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
-`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,Er()),i=n.randomPKCECodeVerifier(),s=await n.calculatePKCECodeChallenge(i),a=n.randomState(),c={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:s,code_challenge_method:"S256",state:a};e&&(c.organization_hint=e);let p=n.buildAuthorizationUrl(r,c).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
-`);try{await n.open(p)}catch(m){let d=m instanceof Error?m.message:String(m);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${d}`),n.logger.error(`Please open this URL manually:
-`),n.logger.error(p),n.logger.error("")}return n.startCallbackServer(t,l,r,i,a)}o(it,"loginImpl");async function I(e,t,n={}){let{login:r=st,getSdk:i=Y,createClient:s=o(a=>new br(a),"createClient")}=n;if(t.interactive){let a=t.orgHint||e.org||void 0,c=await r(a),p=s({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>c.access_token,"getToken")});return await p.authenticate(),p}return i(e,t.appId)}o(I,"getClientForDeployment");import at from"enquirer";var ct="Enter custom target...";function pt(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
+  On Windows: Install OpenSSL or use WSL`)}}o(Er,"generateCertificate");function lt(e,t={existsSync:De.existsSync,readFileSync:o(n=>De.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{De.mkdirSync(n,r)},"mkdirSync"),execFileSync:vr}){let n=pt.join(e,"localhost-key.pem"),r=pt.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?ct(n,r,t):Er(e,n,r,t)}o(lt,"getOrCreateCertificates");var Tr={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:Pr.join(Sr.homedir(),".cdf-login")},Fr={open:xr,getOrCreateCertificates:lt,startCallbackServer:at,discovery:kr,buildAuthorizationUrl:br,randomPKCECodeVerifier:Ir,calculatePKCECodeChallenge:Ar,randomState:$r,logger:console};async function dt(e,t=Tr,n){return n===void 0?mt(e,t,Fr):mt(e,t,n)}o(dt,"login");async function mt(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
+`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,Dr()),i=n.randomPKCECodeVerifier(),a=await n.calculatePKCECodeChallenge(i),s=n.randomState(),p={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:a,code_challenge_method:"S256",state:s};e&&(p.organization_hint=e);let c=n.buildAuthorizationUrl(r,p).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
+`);try{await n.open(c)}catch(m){let d=m instanceof Error?m.message:String(m);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${d}`),n.logger.error(`Please open this URL manually:
+`),n.logger.error(c),n.logger.error("")}return n.startCallbackServer(t,l,r,i,s)}o(mt,"loginImpl");async function I(e,t,n={}){let{login:r=dt,getSdk:i=W,createClient:a=o(s=>new Or(s),"createClient")}=n;if(t.interactive){let s=t.orgHint||e.org||void 0,p=await r(s),c=a({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>p.access_token,"getToken")});return await c.authenticate(),c}return i(e,t.appId)}o(I,"getClientForDeployment");import ut from"enquirer";var gt="Enter custom target...";function ft(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
 `);throw new Error(`Deployment "${e}" not found. Available deployments:
-${n}`)}o(pt,"deploymentNotFoundError");function P(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;pt(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;pt(t,e)}o(P,"findDeployment");function T(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o(T,"getMissingCredentials");async function $(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return P(e.deployments,t.deployment);let n=[...e.deployments.map(s=>`${s.org}/${s.project}`),ct],{selected:r}=await at.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==ct){let s=e.deployments.find(a=>`${a.org}/${a.project}`===r);if(s)return s;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await at.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(s=>s?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o($,"resolveDeployment");import{existsSync as Ar}from"fs";import{resolve as kr}from"path";import{config as Dr}from"dotenv";function F(e,t={existsSync:Ar,config:Dr}){let n=kr(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(F,"loadEnvFile");function O(e){e.infra!=="appsApi"&&(console.error(`
+${n}`)}o(ft,"deploymentNotFoundError");function b(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;ft(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;ft(t,e)}o(b,"findDeployment");function $(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o($,"getMissingCredentials");async function T(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return b(e.deployments,t.deployment);let n=[...e.deployments.map(a=>`${a.org}/${a.project}`),gt],{selected:r}=await ut.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==gt){let a=e.deployments.find(s=>`${s.org}/${s.project}`===r);if(a)return a;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await ut.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(a=>a?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o(T,"resolveDeployment");import{existsSync as Rr}from"fs";import{resolve as _r}from"path";import{config as Ur}from"dotenv";function F(e,t={existsSync:Rr,config:Ur}){let n=_r(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(F,"loadEnvFile");function O(e){e.infra!=="appsApi"&&(console.error(`
 \u26A0\uFE0F  Legacy infrastructure is no longer supported.
 
 Your app.json is missing \`"infra": "appsApi"\`, which means it was created for
 the old CDF Application Registry. This deploy path has been removed.
 
 To migrate: add \`"infra": "appsApi"\` to your app.json, wire up the correct authentication and re-deploy.
-`),process.exit(1))}o(O,"assertAppHostingInfra");async function Ir(e){let t=process.cwd();F(t);let n=C(t);O(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let m=T(r);if(m.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${m.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i),{externalId:a,versionTag:c}=n,p;try{p=await s.getVersion(a,c)}catch(m){throw m instanceof E?new Error(`Version ${c} of ${a} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):m}if(p.alias==="ACTIVE"){console.log(`  ${a} @ ${c} is already ACTIVE \u2014 nothing to do.`);return}if(p.lifecycleState==="DEPRECATED"||p.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${a} @ ${c}: version is ${p.lifecycleState} (terminal).`);p.lifecycleState==="DRAFT"&&(await s.publishVersion(a,c),console.log(`\u2713 Published  ${a} @ ${c} is now PUBLISHED`));let{supersededVersion:l}=await s.activateVersion(a,c);console.log(`\u2713 Activated   ${a} @ ${c} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(Ir,"handleActivate");function lt(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+`),process.exit(1))}o(O,"assertAppHostingInfra");async function Lr(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await T(n,e):b(n.deployments,e.deployment);if(!e.interactive){let m=$(r);if(m.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${m.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(m){throw m instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):m}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);c.lifecycleState==="DRAFT"&&(await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`));let{supersededVersion:l}=await a.activateVersion(s,p);console.log(`\u2713 Activated   ${s} @ ${p} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(Lr,"handleActivate");function yt(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps activate .                   Activate using env-var auth
-  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>Ir(n))}o(lt,"registerActivateCommand");import{readdirSync as Vr}from"fs";import{basename as Pt,dirname as Hr,normalize as Gr,resolve as X}from"path";import{fileURLToPath as Br,pathToFileURL as Yr}from"url";import{Logger as Jr,runner as Xr}from"hygen";import{safeParse as Tr}from"valibot";function J(e,t){return n=>{let r=Tr(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(J,"toPromptValidator");var mt={name:J("App name",fe),displayName:J("Display name",ge),baseUrl:J("Base URL",ye),org:J("Org",he),project:J("Project",we)};function $r(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o($r,"composeValidators");function te(e){return e.map(t=>{if(!(t.name in mt))return t;let n=mt[t.name];return{...t,validate:$r(t.validate,n)}})}o(te,"applySchemaValidators");import{execFileSync as ne}from"child_process";function dt(e={}){let{execFileSync:t=ne}=e;try{return t("git",["--version"],{stdio:"ignore"}),!0}catch{return!1}}o(dt,"isGitInstalled");function ut(e,t={}){let{execFileSync:n=ne}=t;try{return n("git",["-C",e,"status"],{stdio:"ignore"}),!0}catch{return!1}}o(ut,"isInsideGitRepo");function gt(e,t={}){let{execFileSync:n=ne}=t;n("git",["-C",e,"init"],{stdio:"pipe"}),n("git",["-C",e,"add","."],{stdio:"pipe"}),n("git",["-C",e,"commit","-m","Initial commit","--no-gpg-sign","--no-verify"],{stdio:"pipe"})}o(gt,"gitInitAndCommit");function ft(e={}){let{execFileSync:t=ne}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(ft,"gitUserEmail");import{basename as ht}from"path";import wt from"enquirer";function yt(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(yt,"kebabCase");var Fr={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
-`),initial:!1};async function Or(e){return!!(await e([Fr])).useSpecKit}o(Or,"promptForSpecKit");async function Rr(e,t,n){return e!==void 0?e:t?Or(n):!1}o(Rr,"resolveSpecKit");function Ct({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:s,prompt:a=wt.prompt.bind(wt)}){return()=>({prompt:o(async c=>{if(!Array.isArray(c))return a([c]);let p=Object.fromEntries(Object.entries(i).filter(y=>y[1]!==void 0)),l=Object.keys(p).length>0,m=e?ht(process.cwd()):t?ht(t):null,d=l&&m!==null,u=!d&&m?c.map(y=>y.name==="name"?{...y,initial:m}:y):c,f=te(u),g=d?{...p,name:m}:p,b=new Set(Object.keys(g)),v=f.filter(y=>!b.has(y.name)),Z=v.findIndex(y=>y.name==="baseUrl"),M;if(Z!==-1){let y=v.filter(Un=>Un.name!=="baseUrl"),pe=y.length>0?await a(y):{},$n=typeof pe.cluster=="string"?pe.cluster:"",Fn=typeof g.cluster=="string"?g.cluster:"",On=`https://${($n||Fn).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,Rn=v[Z],_n=await a([{...Rn,initial:On}]);M={...pe,..._n}}else M=v.length>0?await a(v):{};let _={...g,...M},x=typeof _.name=="string"?_.name:"";x&&n(x);let A=await Rr(s,v.length>0,a);return r?.(A),{..._,name:x,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:A}},"prompt")})}o(Ct,"createAppPrompter");async function Et(e,t,n){let r=[];Object.values(t).some(s=>s!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[s,a]of Object.entries(t))a!==void 0&&r.push({key:s,value:a,label:`--${yt(s)}`});for(let{key:s,value:a,label:c}of r){let p=e.find(m=>m.name===s)?.validate;if(!p)continue;let l=await p(a);if(l!==!0)throw new Error(`Invalid ${c}: ${l}`)}}o(Et,"validatePresets");import{cpSync as Ur,mkdirSync as St,writeFileSync as Lr}from"fs";import{dirname as vt,resolve as L}from"path";import{fileURLToPath as Nr}from"url";import{symlinkSync as _r}from"fs";function re({target:e,linkPath:t,label:n,symlink:r=_r}){try{return r(e,t),!0}catch(i){if(i instanceof Error&&"code"in i&&i.code==="EEXIST")return!0;let s=i instanceof Error?i.message:String(i);return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,s),!1}}o(re,"symlinkOrWarn");var Kr=L(vt(Nr(import.meta.url)),"..","..","_vendor","spec-kit"),jr={branch_numbering:"sequential"},Mr=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function xt({appDir:e,vendorDir:t=Kr}){let n=L(e,".specify"),r=L(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:s,to:a}of Mr){let c=L(e,a);i=`copy ${s} to ${a}`,St(vt(c),{recursive:!0}),Ur(L(t,s),c,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,Lr(L(n,"init-options.json"),`${JSON.stringify(jr,null,2)}
-`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,St(r,{recursive:!0}),re({target:"../../AGENTS.md",linkPath:L(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(s){let a=s instanceof Error?s.message:String(s);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${a}`,{cause:s})}}o(xt,"installSpecKit");var bt=X(Hr(Br(import.meta.url)),"..","..","_templates");async function zr(){let e=X(bt,"app","new","prompt.js");return(await import(Yr(e).href)).default}o(zr,"loadPromptDefs");function Wr(e,t){return!e||t?null:Gr(e)}o(Wr,"resolveDirName");function qr(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:X(process.cwd(),r),display:r}}o(qr,"resolveAppLocation");function Qr(e,t,n){let r=`  npm install
-  npm run dev`,i="To deploy your app:",s="npx @cognite/cli apps deploy --interactive",a=n?`
+  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>Lr(n))}o(yt,"registerActivateCommand");import{readdirSync as eo}from"fs";import{basename as Tt,dirname as to,normalize as no,resolve as Q}from"path";import{fileURLToPath as ro,pathToFileURL as oo}from"url";import{Logger as io,runner as so}from"hygen";import{execFileSync as ae}from"child_process";function ht(e={}){let{execFileSync:t=ae}=e;try{return t("git",["--version"],{stdio:"ignore"}),!0}catch{return!1}}o(ht,"isGitInstalled");function Ct(e,t={}){let{execFileSync:n=ae}=t;try{return n("git",["-C",e,"status"],{stdio:"ignore"}),!0}catch{return!1}}o(Ct,"isInsideGitRepo");function wt(e,t={}){let{execFileSync:n=ae}=t;n("git",["-C",e,"init"],{stdio:"pipe"}),n("git",["-C",e,"add","."],{stdio:"pipe"}),n("git",["-C",e,"commit","-m","Initial commit","--no-gpg-sign","--no-verify"],{stdio:"pipe"})}o(wt,"gitInitAndCommit");function vt(e={}){let{execFileSync:t=ae}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(vt,"gitUserEmail");import{safeParse as Nr}from"valibot";function q(e,t){return n=>{let r=Nr(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(q,"toPromptValidator");var Et={name:q("App name",Ee),displayName:q("Display name",ve),baseUrl:q("Base URL",Se),org:q("Org",Pe),project:q("Project",xe)};function jr(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o(jr,"composeValidators");function pe(e){return e.map(t=>{if(!(t.name in Et))return t;let n=Et[t.name];return{...t,validate:jr(t.validate,n)}})}o(pe,"applySchemaValidators");import{basename as Pt}from"path";import xt from"enquirer";function St(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(St,"kebabCase");var Kr={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
+`),initial:!1};async function Mr(e){return!!(await e([Kr])).useSpecKit}o(Mr,"promptForSpecKit");async function Vr(e,t,n){return e!==void 0?e:t?Mr(n):!1}o(Vr,"resolveSpecKit");function bt({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:a,prompt:s=xt.prompt.bind(xt)}){return()=>({prompt:o(async p=>{if(!Array.isArray(p))return s([p]);let c=Object.fromEntries(Object.entries(i).filter(f=>f[1]!==void 0)),l=Object.keys(c).length>0,m=e?Pt(process.cwd()):t?Pt(t):null,d=l&&m!==null,u=!d&&m?p.map(f=>f.name==="name"?{...f,initial:m}:f):p,C=pe(u),g=d?{...c,name:m}:c,E=new Set(Object.keys(g)),S=C.filter(f=>!E.has(f.name)),y=S.findIndex(f=>f.name==="baseUrl"),R;if(y!==-1){let f=S.filter(Gn=>Gn.name!=="baseUrl"),j=f.length>0?await s(f):{},ie=typeof j.cluster=="string"?j.cluster:"",K=typeof g.cluster=="string"?g.cluster:"",Mn=`https://${(ie||K).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,Vn=S[y],Hn=await s([{...Vn,initial:Mn}]);R={...j,...Hn}}else R=S.length>0?await s(S):{};let A={...g,...R},P=typeof A.name=="string"?A.name:"";P&&n(P);let x=await Vr(a,S.length>0,s);return r?.(x),{...A,name:P,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:x}},"prompt")})}o(bt,"createAppPrompter");async function At(e,t,n){let r=[];Object.values(t).some(a=>a!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[a,s]of Object.entries(t))s!==void 0&&r.push({key:a,value:s,label:`--${St(a)}`});for(let{key:a,value:s,label:p}of r){let c=e.find(m=>m.name===a)?.validate;if(!c)continue;let l=await c(s);if(l!==!0)throw new Error(`Invalid ${p}: ${l}`)}}o(At,"validatePresets");import{cpSync as zr,mkdirSync as Dt,writeFileSync as Xr}from"fs";import{dirname as It,resolve as V}from"path";import{fileURLToPath as Wr}from"url";import{copyFileSync as Hr,symlinkSync as Gr}from"fs";import{dirname as Br,join as Yr}from"path";function Jr(e){if(e&&typeof e=="object"&&"code"in e&&typeof e.code=="string")return e.code}o(Jr,"errno");function kt(e){return e instanceof Error?e.message:String(e)}o(kt,"messageOf");function ce({target:e,linkPath:t,label:n,symlink:r=Gr,copyFile:i=Hr}){try{return r(e,t),!0}catch(a){let s=Jr(a);if(s==="EEXIST")return!0;let p=kt(a);if(s==="EPERM"||s==="EACCES")try{let c=Yr(Br(t),e);return i(c,t),console.log(`\u2139\uFE0F  Wrote ${n} as a copy of ${e} (symlinks need Developer Mode or an elevated shell on Windows).`),!0}catch(c){return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink: ${p} (copy fallback also failed: ${kt(c)})`),!1}return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,p),!1}}o(ce,"linkOrCopyOrWarn");var qr=V(It(Wr(import.meta.url)),"..","..","_vendor","spec-kit"),Qr={branch_numbering:"sequential"},Zr=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function $t({appDir:e,vendorDir:t=qr}){let n=V(e,".specify"),r=V(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:a,to:s}of Zr){let p=V(e,s);i=`copy ${a} to ${s}`,Dt(It(p),{recursive:!0}),zr(V(t,a),p,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,Xr(V(n,"init-options.json"),`${JSON.stringify(Qr,null,2)}
+`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,Dt(r,{recursive:!0}),ce({target:"../../AGENTS.md",linkPath:V(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(a){let s=a instanceof Error?a.message:String(a);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${s}`,{cause:a})}}o($t,"installSpecKit");var Ft=Q(to(ro(import.meta.url)),"..","..","_templates");async function ao(){let e=Q(Ft,"app","new","prompt.js");return(await import(oo(e).href)).default}o(ao,"loadPromptDefs");function po(e,t){return!e||t?null:no(e)}o(po,"resolveDirName");function co(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:Q(process.cwd(),r),display:r}}o(co,"resolveAppLocation");function lo(e,t,n){let r=`  npm install
+  npm run dev`,i="To deploy your app:",a="npx @cognite/cli apps deploy --interactive",s=n?`
 To start spec-driven development:
   Run /speckit.specify in Claude Code or Cursor and describe your app.
-`:"",c=`  # Or fully non-interactive (deploys first target from app.json):
+`:"",p=`  # Or fully non-interactive (deploys first target from app.json):
   npx @cognite/cli apps deploy`;if(e){console.log(`
 \u2705 App created successfully in current directory!
 
 Next steps:
 ${r}
-${a}
+${s}
 ${i}
-  ${s}
-${c}
+  ${a}
+${p}
 `);return}console.log(`
 \u2705 App created successfully!
 
@@ -58,13 +58,13 @@ To open in Cursor:
 Or:
   cd "${t}"
 ${r}
-${a}
+${s}
 ${i}
   cd "${t}"
-  ${s}
-${c}
-`)}o(Qr,"printSuccessMessage");async function Zr(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=X(e,".agents","skills"),i=0;try{i=Vr(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let s=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${s} successfully to
- ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(Zr,"pullSkillsInto");function eo(e,t={}){let{isGitInstalled:n=dt,isInsideGitRepo:r=ut,gitInitAndCommit:i=gt}=t;if(!n()){console.warn("git not found \u2014 skipping git repository initialisation");return}if(!r(e)){console.log("Initialising git repository...");try{i(e)}catch(s){let c=(s&&typeof s=="object"&&"stderr"in s&&s.stderr?String(s.stderr).trim():"")||(s instanceof Error?s.message:String(s));console.warn("Could not initialise git repository:",c)}}}o(eo,"maybeInitGit");async function to(e,t){let n=e==="."||e==="./",r=Wr(e,n),i=null,s=!1,a={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},c=await zr(),p=te(c),l=n?Pt(process.cwd()):r?Pt(r):null;await Et(p,a,l);let m=Ct({isCurrentDir:n,dirName:r,onAppName:o(u=>{i=u},"onAppName"),onUseSpecKit:o(u=>{s=u},"onUseSpecKit"),presets:a,specKit:t.specKit});await Xr(["app","new"],{templates:bt,cwd:process.cwd(),logger:new Jr(console.log.bind(console)),createPrompter:m,debug:!!process.env.DEBUG});let d=qr(n,r,i);re({target:"AGENTS.md",linkPath:X(d.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),s&&xt({appDir:d.cwd}),await Zr(d.cwd),eo(d.cwd),Qr(n,d.display,s)}o(to,"handleCreate");function At(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
+  ${a}
+${p}
+`)}o(lo,"printSuccessMessage");async function mo(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=Q(e,".agents","skills"),i=0;try{i=eo(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let a=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${a} successfully to
+ ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(mo,"pullSkillsInto");function uo(e,t={}){let{isGitInstalled:n=ht,isInsideGitRepo:r=Ct,gitInitAndCommit:i=wt}=t;if(!n()){console.warn("git not found \u2014 skipping git repository initialisation");return}if(!r(e)){console.log("Initialising git repository...");try{i(e)}catch(a){let p=(a&&typeof a=="object"&&"stderr"in a&&a.stderr?String(a.stderr).trim():"")||(a instanceof Error?a.message:String(a));console.warn("Could not initialise git repository:",p)}}}o(uo,"maybeInitGit");async function go(e,t){let n=e==="."||e==="./",r=po(e,n),i=null,a=!1,s={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},p=await ao(),c=pe(p),l=n?Tt(process.cwd()):r?Tt(r):null;await At(c,s,l);let m=bt({isCurrentDir:n,dirName:r,onAppName:o(u=>{i=u},"onAppName"),onUseSpecKit:o(u=>{a=u},"onUseSpecKit"),presets:s,specKit:t.specKit});await so(["app","new"],{templates:Ft,cwd:process.cwd(),logger:new io(console.log.bind(console)),createPrompter:m,debug:!!process.env.DEBUG});let d=co(n,r,i);ce({target:"AGENTS.md",linkPath:Q(d.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),a&&$t({appDir:d.cwd}),await mo(d.cwd),uo(d.cwd),lo(n,d.display,a)}o(go,"handleCreate");function Ot(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
 Non-interactive use (CI, scripts, AI agents):
   Pass [directory] plus --display-name, --description, --org, --project, --cluster, --base-url
   to skip every prompt. Missing flags fall back to the interactive prompt.
@@ -77,14 +77,17 @@ Examples:
     --display-name "My App" --description "My app" \\
     --org cog-atlas --project atlas-greenfield --cluster greenfield \\
     --base-url https://greenfield.cognitedata.com
-                                             Fully non-interactive`).action(to)}o(At,"registerCreateCommand");import{readFile as co,unlink as po}from"fs/promises";import{basename as lo}from"path";import Dt from"fs";import so from"path";import R from"fs";import w from"path";import{parseAndValidateManifestConfig as no}from"@cognite/app-sdk/vite";import{BlobReader as ro,Uint8ArrayWriter as oo,ZipWriter as io}from"@zip.js/zip.js";var xe="package.json",Pe="package-lock.json",kt="manifest.json",be=".cognite",Ae=class Ae{constructor(t="dist"){this.distPath=w.isAbsolute(t)?t:w.join(process.cwd(),t),this.appRoot=w.dirname(this.distPath)}validateBuildDirectory(){if(!R.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=w.join(this.appRoot,xe);if(!R.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=w.join(this.appRoot,Pe);if(!R.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new io(new oo,{level:9}),i=o(async(p,l)=>{await r.add(l,new ro(await R.openAsBlob(p))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),s=o(async p=>{let l=await R.promises.readdir(p,{withFileTypes:!0});for(let m of l){let d=w.join(p,m.name);m.isDirectory()?await s(d):await i(d,w.relative(this.distPath,d).replace(/\\/g,"/"))}},"addDir"),a;try{await s(this.distPath);let p=w.join(this.appRoot,xe);await i(p,w.posix.join(be,xe));let l=w.join(this.appRoot,kt);if(R.existsSync(l)){let d=R.readFileSync(l,"utf-8");no(d,l),await i(l,w.posix.join(be,kt))}let m=w.join(this.appRoot,Pe);await i(m,w.posix.join(be,Pe)),a=await r.close()}catch(p){let l=p instanceof Error?p.message:String(p);throw new Error(`Failed to create zip: ${l}`)}await R.promises.writeFile(t,a);let c=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${c} MB)`),t}};o(Ae,"ApplicationPackager");var N=Ae;var ke=o(async(e,t,n)=>{let r=await new N(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:i,name:s,description:a,versionTag:c}=t,p=await Y(e,n),l=new h(p),m=Dt.readFileSync(r),d=so.basename(r);await l.deploy(i,s,a,c,m,d,e.published)}finally{try{Dt.unlinkSync(r)}catch{}}},"deploy");import{execSync as ao}from"child_process";function De(e,t=!0,n={execSync:ao}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(De,"buildApp");function It(e,t){let{org:n,project:r,baseUrl:i}=e,s;try{s=new URL(i).hostname}catch{return null}let{externalId:a,versionTag:c}=t,p=new URLSearchParams({cluster:s,customAppVersion:c,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(a)}?${p}`}o(It,"generateFusionUrl");function Tt(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
-`))}o(Tt,"printDeployInfo");function $t(e,t){console.log(`
+                                             Fully non-interactive`).action(go)}o(Ot,"registerCreateCommand");import fo from"path";async function yo(e,t,n){let r=await I(e,{interactive:t.interactive,appId:n,orgHint:t.org});return new h(r)}o(yo,"defaultGetApiClient");async function ho(e,t,n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,getApiClient:a=yo}=n,s=fo.resolve(process.cwd(),e);r(s);let p=i(s);O(p);let c=t.interactive?await T(p,t):b(p.deployments,t.deployment);if(!t.interactive){let u=$(c);if(u.length>0)throw new Error(`Deployment ${c.org}/${c.project} is missing ${u.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps deactivate --interactive\` for browser-based authentication instead.`)}let l=await a(c,t,p.externalId),{externalId:m}=p,d=await l.getActiveVersion(m);if(!d){console.log(`  ${m} has no active version \u2014 nothing to deactivate.`);return}await l.deactivateVersion(m,d.version),console.log(`\u2713 Deactivated  ${m} @ ${d.version} \u2014 active alias removed`)}o(ho,"handleDeactivate");function Rt(e){return e.command("deactivate").description("Deactivate the app by removing its active version from service").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+Examples:
+  npx @cognite/cli apps deactivate .                   Deactivate using env-var auth
+  npx @cognite/cli apps deactivate . --interactive     Deactivate using browser auth (no secrets needed)`).action((t,n)=>ho(t,n))}o(Rt,"registerDeactivateCommand");import{readFile as xo,unlink as bo}from"fs/promises";import{basename as Ao}from"path";import Ut from"fs";import So from"path";import L from"fs";import v from"path";import{parseAndValidateManifestConfig as Co}from"@cognite/app-sdk/vite";import{BlobReader as wo,Uint8ArrayWriter as vo,ZipWriter as Eo}from"@zip.js/zip.js";var Ie="package.json",$e="package-lock.json",_t="manifest.json",Te=".cognite",Fe=class Fe{constructor(t="dist"){this.distPath=v.isAbsolute(t)?t:v.join(process.cwd(),t),this.appRoot=v.dirname(this.distPath)}validateBuildDirectory(){if(!L.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=v.join(this.appRoot,Ie);if(!L.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=v.join(this.appRoot,$e);if(!L.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new Eo(new vo,{level:9}),i=o(async(c,l)=>{await r.add(l,new wo(await L.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),a=o(async c=>{let l=await L.promises.readdir(c,{withFileTypes:!0});for(let m of l){let d=v.join(c,m.name);m.isDirectory()?await a(d):await i(d,v.relative(this.distPath,d).replace(/\\/g,"/"))}},"addDir"),s;try{await a(this.distPath);let c=v.join(this.appRoot,Ie);await i(c,v.posix.join(Te,Ie));let l=v.join(this.appRoot,_t);if(L.existsSync(l)){let d=L.readFileSync(l,"utf-8");Co(d,l),await i(l,v.posix.join(Te,_t))}let m=v.join(this.appRoot,$e);await i(m,v.posix.join(Te,$e)),s=await r.close()}catch(c){let l=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${l}`)}await L.promises.writeFile(t,s);let p=(s.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${p} MB)`),t}};o(Fe,"ApplicationPackager");var H=Fe;var Oe=o(async(e,t,n)=>{let r=await new H(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:i,name:a,description:s,versionTag:p}=t,c=await W(e,n),l=new h(c),m=Ut.readFileSync(r),d=So.basename(r);await l.deploy(i,a,s,p,m,d,e.published)}finally{try{Ut.unlinkSync(r)}catch{}}},"deploy");import{execSync as Po}from"child_process";function Re(e,t=!0,n={execSync:Po}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(Re,"buildApp");function Lt(e,t){let{org:n,project:r,baseUrl:i}=e,a;try{a=new URL(i).hostname}catch{return null}let{externalId:s,versionTag:p}=t,c=new URLSearchParams({cluster:a,customAppVersion:p,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(s)}?${c}`}o(Lt,"generateFusionUrl");function Nt(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
+`))}o(Nt,"printDeployInfo");function jt(e,t){console.log(`
 \u2705 Successfully deployed ${e.name} version ${e.versionTag} to ${t.org?`${t.org}/`:""}${t.project}`),console.log("\u{1F512} App is deployed in draft mode");let n=e.deployments.length>1?` -d ${t.project}`:"";console.log(`
-To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=It(t,e);r&&console.log(`
+To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=Lt(t,e);r&&console.log(`
 \u{1F517} Open your app:
-   ${r}`)}o($t,"printDeployResult");async function mo(e,t,n,r,i){let s=T(t);if(s.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);Tt(e,t,!1),r.skipBuild||De(n),console.log(`
-\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),$t(e,t)}o(mo,"handleDeployNonInteractive");async function uo(e,t,n,r){Tt(e,t,!0),r.skipBuild||De(n);let i=await I(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
-\u{1F4E4} Deploying to ${t.project}...`);let s=await new N(`${n}/dist`).createZip("app.zip",!0);try{let a=await co(s);await new h(i).deploy(e.externalId,e.name,e.description,e.versionTag,a,lo(s),!1),$t(e,t)}finally{await po(s).catch(()=>{})}}o(uo,"handleDeployInteractive");async function go(e,t=process.cwd(),n={}){let{loadEnvFile:r=F,loadAppConfig:i=C,deploy:s=ke}=n;r(t);let a=i(t);if(O(a),e.interactive){let p=await $(a,e);await uo(a,p,t,e);return}let c=P(a.deployments,e.deployment);await mo(a,c,t,e,s)}o(go,"handleDeploy");function Ft(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+   ${r}`)}o(jt,"printDeployResult");async function ko(e,t,n,r,i){let a=$(t);if(a.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);Nt(e,t,!1),r.skipBuild||Re(n),console.log(`
+\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),jt(e,t)}o(ko,"handleDeployNonInteractive");async function Do(e,t,n,r){Nt(e,t,!0),r.skipBuild||Re(n);let i=await I(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
+\u{1F4E4} Deploying to ${t.project}...`);let a=await new H(`${n}/dist`).createZip("app.zip",!0);try{let s=await xo(a);await new h(i).deploy(e.externalId,e.name,e.description,e.versionTag,s,Ao(a),!1),jt(e,t)}finally{await bo(a).catch(()=>{})}}o(Do,"handleDeployInteractive");async function Io(e,t=process.cwd(),n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,deploy:a=Oe}=n;r(t);let s=i(t);if(O(s),e.interactive){let c=await T(s,e);await Do(s,c,t,e);return}let p=b(s.deployments,e.deployment);await ko(s,p,t,e,a)}o(Io,"handleDeploy");function Kt(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Environment (non-interactive):
   deployClientId and deploySecretName are configured per deployment in app.json.
   deploySecretName is the name of the environment variable that holds the client
@@ -98,42 +101,43 @@ Examples:
   npx @cognite/cli apps deploy -d my-project      Deploy to project by name
   npx @cognite/cli apps deploy --skip-build       Deploy without rebuilding
   npx @cognite/cli apps deploy --interactive      Browser auth, prompts for target
-  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>go(t))}o(Ft,"registerDeployCommand");async function fo(e){let t=process.cwd();F(t);let n=C(t);O(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let l=T(r);if(l.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${l.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i),{externalId:a,versionTag:c}=n,p;try{p=await s.getVersion(a,c)}catch(l){throw l instanceof E?new Error(`Version ${c} of ${a} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):l}if(p.alias==="ACTIVE"){console.log(`  ${a} @ ${c} is already ACTIVE \u2014 nothing to do.`);return}if(p.lifecycleState==="PUBLISHED"){console.log(`  ${a} @ ${c} is already PUBLISHED \u2014 nothing to do.`);return}if(p.lifecycleState==="DEPRECATED"||p.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${a} @ ${c}: version is ${p.lifecycleState} (terminal).`);await s.publishVersion(a,c),console.log(`\u2713 Published  ${a} @ ${c} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o(fo,"handlePublish");function Ot(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>Io(t))}o(Kt,"registerDeployCommand");async function $o(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await T(n,e):b(n.deployments,e.deployment);if(!e.interactive){let l=$(r);if(l.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${l.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(l){throw l instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):l}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="PUBLISHED"){console.log(`  ${s} @ ${p} is already PUBLISHED \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o($o,"handlePublish");function Mt(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps publish .                    Publish using env-var auth
-  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>fo(n))}o(Ot,"registerPublishCommand");function yo(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(yo,"describeStatus");async function ho(e){let t=process.cwd();F(t);let n=C(t);O(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let a=T(r);if(a.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let a=await s.getVersion(n.externalId,n.versionTag),c=yo(a);console.log(`Status:  ${c}`),a.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(a){if(a instanceof E){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw a}}o(ho,"handleStatus");function Rt(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>$o(n))}o(Mt,"registerPublishCommand");function To(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(To,"describeStatus");async function Fo(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await T(n,e):b(n.deployments,e.deployment);if(!e.interactive){let s=$(r);if(s.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let s=await a.getVersion(n.externalId,n.versionTag),p=To(s);console.log(`Status:  ${p}`),s.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(s){if(s instanceof k){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw s}}o(Fo,"handleStatus");function Vt(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps status .                     Status using env-var auth
-  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>ho(n))}o(Rt,"registerStatusCommand");function _t(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return At(t),Ft(t),Rt(t),Ot(t),lt(t),Be(t),t}o(_t,"registerAppsCommand");import{existsSync as li,mkdirSync as mi,writeFileSync as di}from"fs";import{dirname as Le,join as Ne}from"path";import{execFile as Co}from"child_process";import{promisify as Eo}from"util";import{platform as wo}from"os";function K(e={}){let{platform:t=wo}=e;return t()==="darwin"}o(K,"isMacOS");var Ut="cognite-flows",So=Eo(Co),Lt=o((e,t)=>So(e,t),"defaultExecFile"),vo=-25300,xo=vo&255;function Po(e){if(!(e instanceof Error)||!("code"in e)||e.code!==xo)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(Po,"isKeychainNotFoundError");async function Nt(e,t,n={}){if(!K(n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=Lt}=n;await r("security",["add-generic-password","-a",e,"-s",Ut,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(Nt,"storeKeyInKeychain");async function Kt(e,t={}){if(!K(t))return null;let{execFile:n=Lt}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Ut,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(Po(r))return null;throw r}}o(Kt,"readKeyFromKeychain");import{pbkdf2 as ko,randomBytes as Do}from"crypto";import{promisify as Io}from"util";import{CompactEncrypt as To,base64url as $o,compactDecrypt as dp}from"jose";var bo=new TextEncoder,Ao=new TextDecoder,jt={encode:o(e=>bo.encode(e),"encode"),decode:o(e=>Ao.decode(e),"decode")};var Fo=Io(ko),Ie=6e5,Oo="sha512",Ro="PBKDF2-HMAC-SHA512",_o=16,Uo="A256GCM",Lo=32,Mt=2e6;async function No(e,t,n){return await Fo(e,t,n,Lo,Oo)}o(No,"deriveKey");async function Vt(e,t,n=Ie){if(!Number.isInteger(n)||n<1||n>Mt)throw new Error(`Invalid iterations: must be an integer between 1 and ${Mt}`);let r=Do(_o),i=await No(t,r,n);return await new To(jt.encode(e)).setProtectedHeader({alg:"dir",enc:Uo,kdf:Ro,kdf_iter:n,kdf_salt:$o.encode(r)}).encrypt(i)}o(Vt,"encryptStringAsJwe");import{calculateJwkThumbprint as Ko,exportJWK as jo,exportPKCS8 as Mo,exportSPKI as Vo,generateKeyPair as Ho}from"jose";async function Ht(){let{publicKey:e,privateKey:t}=await Ho("EdDSA",{extractable:!0}),n=await Mo(t),r=await Vo(e),i=await jo(e),s=await Ko(i);return{privateKeyPem:n,publicKeyPem:r,kid:s}}o(Ht,"generateSigningKeyPair");import{existsSync as Bo,readdirSync as Yo,readFileSync as Jo}from"fs";import{join as oe}from"path";import{homedir as Go}from"os";import{join as Gt}from"path";function j(e={}){let{env:t=process.env,homedir:n=Go}=e,r=t.DUNE_HOME?.trim()||Gt(n(),".dune");return{home:r,keysDir:Gt(r,"keys")}}o(j,"getConfig");var ie=".pub.pem",Te=".key.jwe",Xo=".pem",$e=".meta.json";function Bt(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"legacy-unencrypted-file":return`${e.path} (unencrypted \u2014 rotate)`;case"public-only":return"public-only (private key missing)"}}o(Bt,"formatLocalKeySource");function zo(e){return{existsSync:e.existsSync??Bo,readdirSync:e.readdirSync??Yo,readFileSync:e.readFileSync??((t,n)=>Jo(t,n)),isMacOS:e.isMacOS??(()=>K()),readKeyFromKeychain:e.readKeyFromKeychain??(t=>Kt(t))}}o(zo,"resolveDeps");function Wo(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(Wo,"readEmailFromMeta");function qo(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(ie)):[]}o(qo,"publicKeyEntries");function Qo(e){return e.slice(0,-ie.length)}o(Qo,"kidFromPublicKeyFilename");async function Zo(e,t,n){if(n.isMacOS()&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=oe(t,`${e}${Te}`);if(n.existsSync(r))return{kind:"encrypted-file",path:r};let i=oe(t,`${e}${Xo}`);return n.existsSync(i)?{kind:"legacy-unencrypted-file",path:i}:{kind:"public-only"}}o(Zo,"resolveSource");async function Yt(e=j().keysDir,t={}){let n=zo(t),r=new Set,i=qo(e,n).flatMap(s=>{let a=Qo(s);return!a||r.has(a)?[]:(r.add(a),[{kid:a,entry:s}])});return Promise.all(i.map(async({kid:s,entry:a})=>{let c=await Zo(s,e,n),p=oe(e,`${s}${$e}`),l;try{l=Wo(n.readFileSync(p,"utf8"))}catch{}return{kid:s,source:c,publicKeyPath:oe(e,a),email:l}}))}o(Yt,"discoverLocalKeys");function Jt(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),s=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,s))}o(Jt,"addMonthsClamped");function Fe(e){return e.toISOString().slice(0,10)}o(Fe,"formatIsoDate");function Xt(e=new Date){return Fe(e)}o(Xt,"todayIso");import ei,{Chalk as ti}from"chalk";var Oe=new ti({level:0});function zt(e){return e.isTTY?ei:Oe}o(zt,"chalkForStream");function ni(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(ni,"pemBodyOneLine");function Wt(e,t=Oe,n=new Date){let r=e.issuedAt??Xt(n),i=ni(e.publicKeyPem),s="  ",a=o((p,l)=>`${s}${t.cyan(p)}${t.dim(":")} ${l}
-`,"kv"),c="";return c+=`
+  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>Fo(n))}o(Vt,"registerStatusCommand");function Ht(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return Ot(t),Kt(t),Vt(t),Mt(t),yt(t),Rt(t),qe(t),t}o(Ht,"registerAppsCommand");import{existsSync as vi,mkdirSync as Ei,writeFileSync as Si}from"fs";import{dirname as He,join as ge}from"path";import{generateSigningKeyPair as Pi}from"@cognite/app-sdk/codesigning";import{execFile as Ro}from"child_process";import{promisify as _o}from"util";import{platform as Oo}from"os";function G(e={}){let{platform:t=Oo}=e;return t()==="darwin"}o(G,"isMacOS");var Gt="cognite-flows",Uo=_o(Ro),Bt=o((e,t)=>Uo(e,t),"defaultExecFile"),Lo=-25300,No=Lo&255;function jo(e){if(!(e instanceof Error)||!("code"in e)||e.code!==No)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(jo,"isKeychainNotFoundError");async function Yt(e,t,n={}){if(!G(n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=Bt}=n;await r("security",["add-generic-password","-a",e,"-s",Gt,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(Yt,"storeKeyInKeychain");async function Jt(e,t={}){if(!G(t))return null;let{execFile:n=Bt}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Gt,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(jo(r))return null;throw r}}o(Jt,"readKeyFromKeychain");import{pbkdf2 as Vo,randomBytes as Ho}from"crypto";import{promisify as Go}from"util";import{CompactEncrypt as Bo,base64url as Yo,compactDecrypt as Rc}from"jose";var Ko=new TextEncoder,Mo=new TextDecoder,zt={encode:o(e=>Ko.encode(e),"encode"),decode:o(e=>Mo.decode(e),"decode")};var Jo=Go(Vo),_e=6e5,zo="sha512",Xo="PBKDF2-HMAC-SHA512",Wo=16,qo="A256GCM",Qo=32,Xt=2e6;async function Zo(e,t,n){return await Jo(e,t,n,Qo,zo)}o(Zo,"deriveKey");async function Wt(e,t,n=_e){if(!Number.isInteger(n)||n<1||n>Xt)throw new Error(`Invalid iterations: must be an integer between 1 and ${Xt}`);let r=Ho(Wo),i=await Zo(t,r,n);return await new Bo(zt.encode(e)).setProtectedHeader({alg:"dir",enc:qo,kdf:Xo,kdf_iter:n,kdf_salt:Yo.encode(r)}).encrypt(i)}o(Wt,"encryptStringAsJwe");import{existsSync as ti,readdirSync as ni,readFileSync as ri}from"fs";import{join as le}from"path";import{homedir as ei}from"os";import{join as qt}from"path";function N(e={}){let{env:t=process.env,homedir:n=ei}=e,r=t.DUNE_HOME?.trim()||qt(n(),".dune");return{home:r,keysDir:qt(r,"keys")}}o(N,"getConfig");var ee=".pub.pem",Ue=".key.jwe",oi=".pem",Le=".meta.json";function Qt(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"legacy-unencrypted-file":return`${e.path} (unencrypted \u2014 rotate)`;case"public-only":return"public-only (private key missing)"}}o(Qt,"formatLocalKeySource");function ii(e){return{existsSync:e.existsSync??ti,readdirSync:e.readdirSync??ni,readFileSync:e.readFileSync??((t,n)=>ri(t,n)),isMacOS:e.isMacOS??(()=>G()),readKeyFromKeychain:e.readKeyFromKeychain??(t=>Jt(t))}}o(ii,"resolveDeps");function si(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(si,"readEmailFromMeta");function ai(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(ee)):[]}o(ai,"publicKeyEntries");function pi(e){return e.slice(0,-ee.length)}o(pi,"kidFromPublicKeyFilename");async function ci(e,t,n){if(n.isMacOS()&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=le(t,`${e}${Ue}`);if(n.existsSync(r))return{kind:"encrypted-file",path:r};let i=le(t,`${e}${oi}`);return n.existsSync(i)?{kind:"legacy-unencrypted-file",path:i}:{kind:"public-only"}}o(ci,"resolveSource");async function Zt(e=N().keysDir,t={}){let n=ii(t),r=new Set,i=ai(e,n).flatMap(a=>{let s=pi(a);return!s||r.has(s)?[]:(r.add(s),[{kid:s,entry:a}])});return Promise.all(i.map(async({kid:a,entry:s})=>{let p=await ci(a,e,n),c=le(e,`${a}${Le}`),l;try{l=si(n.readFileSync(c,"utf8"))}catch{}return{kid:a,source:p,publicKeyPath:le(e,s),email:l}}))}o(Zt,"discoverLocalKeys");function en(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),a=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,a))}o(en,"addMonthsClamped");function Ne(e){return e.toISOString().slice(0,10)}o(Ne,"formatIsoDate");function tn(e=new Date){return Ne(e)}o(tn,"todayIso");import li,{Chalk as mi}from"chalk";var je=new mi({level:0});function nn(e){return e.isTTY?li:je}o(nn,"chalkForStream");function di(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(di,"pemBodyOneLine");function rn(e,t=je,n=new Date){let r=e.issuedAt??tn(n),i=di(e.publicKeyPem),a="  ",s=o((c,l)=>`${a}${t.cyan(c)}${t.dim(":")} ${l}
+`,"kv"),p="";return p+=`
 ${t.bold("Add this entry to")} ${t.magenta("services/app-hosting/config/signing-keys.yaml")} ${t.bold("under")} ${t.cyan("public_keys:")}
 
-`,c+=`${t.dim("-")} ${t.cyan("kid")}${t.dim(":")} ${t.green(e.kid)}
-`,c+=a("public_key",t.green(i)),c+=a("email",t.yellow(e.email)),c+=a("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),c+=a("issued_at",t.green(r)),c+=a("expires",t.green(e.expires)),c+=a("revoked_at",t.dim("null")),c}o(Wt,"renderRegistryEntry");import{email as ri,pipe as oi,safeParse as ii,string as si}from"valibot";var ai=oi(si(),ri());function W(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!ii(ai,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(W,"parseEmail");function q(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(q,"parseExpiryMonths");import pi from"enquirer";var se=3,qt=`Key expiry in months (${1}-${12})`,Qt="Email address for the registry entry",Zt=`Passphrase for the encrypted private key (min ${15} chars)`,en="Confirm passphrase",tn=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),nn=o(e=>`Passphrases do not match (attempt ${e}/${se}).
-`,"passphraseMismatchMsg"),rn=`Passphrase confirmation failed after ${se} attempts`;async function Ue(e){return pi.prompt(e)}o(Ue,"defaultPrompt");function on(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(on,"parserAsValidator");async function sn(e={}){let{prompt:t=Ue}=e,{months:n}=await t({type:"input",name:"months",message:qt,initial:String(6),validate:on(r=>q(r,"expiry"))});return q(n,"expiry")}o(sn,"promptExpiryMonths");async function an(e={}){let{prompt:t=Ue,gitUserEmail:n=ft}=e,{email:r}=await t({type:"input",name:"email",message:Qt,initial:n(),validate:on(i=>W(i,"email"))});return W(r,"email")}o(an,"promptEmail");async function cn(e={}){let{prompt:t=Ue,stderr:n=process.stderr}=e;for(let r=1;r<=se;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:Zt,validate:o(a=>a.length>=15?!0:tn(),"validate")}),{confirm:s}=await t({type:"password",name:"confirm",message:en});if(i===s)return i;n.write(nn(r))}throw new Error(rn)}o(cn,"promptPassphrase");function ui(e){return{writeFileSync:e.writeFileSync??di,mkdirSync:e.mkdirSync??mi,existsSync:e.existsSync??li,generateSigningKeyPair:e.generateSigningKeyPair??Ht,encryptStringAsJwe:e.encryptStringAsJwe??Vt,storeKeyInKeychain:e.storeKeyInKeychain??Nt,isMacOS:e.isMacOS??K,promptExpiryMonths:e.promptExpiryMonths??sn,promptEmail:e.promptEmail??an,promptPassphrase:e.promptPassphrase??cn,discoverLocalKeys:e.discoverLocalKeys??(()=>Yt())}}o(ui,"resolveDeps");function ln(e,t={}){let n=ui(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain","Skip macOS Keychain and write a passphrase-encrypted private key under ~/.dune/keys/ instead").option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").action(i=>yi(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>gi(n))}o(ln,"registerKeysCommand");async function gi(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
-`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${j().keysDir}).
-`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(a=>[a.kid,Bt(a.source),a.email??"\u2014"]),i=n.map((a,c)=>Math.max(a.length,...r.map(p=>p[c].length))),s=o(a=>a.map((c,p)=>c.padEnd(i[p])).join("  ").trimEnd(),"fmt");process.stdout.write(`${s(n)}
-`);for(let a of r)process.stdout.write(`${s(a)}
-`)}o(gi,"handleList");function pn(e,t,n){let r=Ne(j().keysDir,`${e}${ie}`);return n.mkdirSync(Le(r),{recursive:!0}),n.writeFileSync(r,t),r}o(pn,"writePublicKey");async function fi(e,t,n,r,i){let s=r??Ne(j().keysDir,`${e}${Te}`);if(i.mkdirSync(Le(s),{recursive:!0}),i.existsSync(s))throw new Error(`Refusing to overwrite existing key at ${s}. Delete it first if you really want to regenerate: rm ${s}`);let a=await i.encryptStringAsJwe(t,n);return i.writeFileSync(s,a,{mode:384}),s}o(fi,"writeEncryptedPrivateKey");async function yi(e,t,n=new Date){let r=e.keychain!==!1&&t.isMacOS()&&!e.output,i=e.expires!==void 0?q(e.expires):await t.promptExpiryMonths(),s=Fe(Jt(n,i)),a=e.email!==void 0?W(e.email,"--email"):await t.promptEmail(),c=r?null:await t.promptPassphrase();process.stderr.write(`
+`,p+=`${t.dim("-")} ${t.cyan("kid")}${t.dim(":")} ${t.green(e.kid)}
+`,p+=s("public_key",t.green(i)),p+=s("email",t.yellow(e.email)),p+=s("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),p+=s("issued_at",t.green(r)),p+=s("expires",t.green(e.expires)),p+=s("revoked_at",t.dim("null")),p}o(rn,"renderRegistryEntry");import{email as ui,pipe as gi,safeParse as fi,string as yi}from"valibot";var hi=gi(yi(),ui());function te(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!fi(hi,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(te,"parseEmail");function ne(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(ne,"parseExpiryMonths");import gn from"enquirer";var me=3,on="Signing identity (kid) \u2014 e.g. jsmith-dev-001 (lowercase letters, digits, hyphens)",sn=`Key expiry in months (${1}-${12})`,an="Email address for the registry entry",pn=`Passphrase for the encrypted private key (min ${15} chars)`,cn="Confirm passphrase",ln=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),mn=o(e=>`Passphrases do not match (attempt ${e}/${me}).
+`,"passphraseMismatchMsg"),dn=`Passphrase confirmation failed after ${me} attempts`,un=o(e=>`A signing key with kid "${e}" already exists. Overwrite it?`,"confirmOverwriteMsg");async function ue(e){return gn.prompt(e)}o(ue,"defaultPrompt");function Ve(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(Ve,"parserAsValidator");var wi=/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;function de(e){let t=e.trim();if(!t)throw new Error("--kid must not be empty");if(t.length>64)throw new Error("--kid must be 64 characters or fewer");if(!wi.test(t))throw new Error("--kid must contain only lowercase letters, digits, and hyphens, and must not start or end with a hyphen (e.g. jsmith-dev-001)");return t}o(de,"parseKid");async function fn(e={}){let{prompt:t=ue}=e,{kid:n}=await t({type:"input",name:"kid",message:on,validate:Ve(de)});return de(n)}o(fn,"promptKid");async function yn(e={}){let{prompt:t=ue}=e,{months:n}=await t({type:"input",name:"months",message:sn,initial:String(6),validate:Ve(r=>ne(r,"expiry"))});return ne(n,"expiry")}o(yn,"promptExpiryMonths");async function hn(e={}){let{prompt:t=ue,gitUserEmail:n=vt}=e,{email:r}=await t({type:"input",name:"email",message:an,initial:n(),validate:Ve(i=>te(i,"email"))});return te(r,"email")}o(hn,"promptEmail");async function Cn(e={}){let{prompt:t=ue,stderr:n=process.stderr}=e;for(let r=1;r<=me;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:pn,validate:o(s=>s.length>=15?!0:ln(),"validate")}),{confirm:a}=await t({type:"password",name:"confirm",message:cn});if(i===a)return i;n.write(mn(r))}throw new Error(dn)}o(Cn,"promptPassphrase");async function wn(e,t={}){let{prompt:n=o(i=>gn.prompt(i),"prompt")}=t,{confirmed:r}=await n({type:"confirm",name:"confirmed",message:un(e),initial:!1});return r}o(wn,"promptConfirmOverwrite");function xi(e){return{writeFileSync:e.writeFileSync??Si,mkdirSync:e.mkdirSync??Ei,existsSync:e.existsSync??vi,generateSigningKeyPair:e.generateSigningKeyPair??Pi,encryptStringAsJwe:e.encryptStringAsJwe??Wt,storeKeyInKeychain:e.storeKeyInKeychain??Yt,isMacOS:e.isMacOS??G,promptKid:e.promptKid??fn,promptExpiryMonths:e.promptExpiryMonths??yn,promptEmail:e.promptEmail??hn,promptPassphrase:e.promptPassphrase??Cn,promptConfirmOverwrite:e.promptConfirmOverwrite??wn,discoverLocalKeys:e.discoverLocalKeys??(()=>Zt())}}o(xi,"resolveDeps");function En(e,t={}){let n=xi(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain","Skip macOS Keychain and write a passphrase-encrypted private key under ~/.dune/keys/ instead").option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").option("--kid <identifier>","Signing identity name for the registry (e.g. jsmith-dev-001); skips the interactive prompt").option("--force","Overwrite an existing key without prompting for confirmation").action(i=>ki(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>bi(n))}o(En,"registerKeysCommand");async function bi(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
+`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${N().keysDir}).
+`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(s=>[s.kid,Qt(s.source),s.email??"\u2014"]),i=n.map((s,p)=>Math.max(s.length,...r.map(c=>c[p].length))),a=o(s=>s.map((p,c)=>p.padEnd(i[c])).join("  ").trimEnd(),"fmt");process.stdout.write(`${a(n)}
+`);for(let s of r)process.stdout.write(`${a(s)}
+`)}o(bi,"handleList");function vn(e,t,n){let r=ge(N().keysDir,`${e}${ee}`);return n.mkdirSync(He(r),{recursive:!0}),n.writeFileSync(r,t),r}o(vn,"writePublicKey");async function Ai(e,t,n,r,i,{force:a=!1}={}){let s=r??ge(N().keysDir,`${e}${Ue}`);if(i.mkdirSync(He(s),{recursive:!0}),!a&&i.existsSync(s))throw new Error(`Refusing to overwrite existing key at ${s}. Delete it first if you really want to regenerate: rm ${s}`);let p=await i.encryptStringAsJwe(t,n);return i.writeFileSync(s,p,{mode:384}),s}o(Ai,"writeEncryptedPrivateKey");async function ki(e,t,n=new Date){let{isMacOS:r,existsSync:i,mkdirSync:a,writeFileSync:s,generateSigningKeyPair:p,storeKeyInKeychain:c,promptExpiryMonths:l,promptKid:m,promptEmail:d,promptPassphrase:u,promptConfirmOverwrite:C}=t,g=e.keychain!==!1&&r()&&!e.output,E=e.expires!==void 0?ne(e.expires):await l(),S=Ne(en(n,E)),y=e.kid!==void 0?de(e.kid):await m(),R=ge(N().keysDir,`${y}${ee}`),A=i(R);if(A&&!e.force&&!await C(y)){process.stderr.write(`Aborted.
+`);return}let P=e.email!==void 0?te(e.email,"--email"):await d(),x=g?null:await u();process.stderr.write(`
 Generating Ed25519 keypair...
 
-`);let{privateKeyPem:p,publicKeyPem:l,kid:m}=await t.generateSigningKeyPair();if(r){await t.storeKeyInKeychain(m,p);let f=pn(m,l,t);process.stderr.write(`Public key:  ${f}
-`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${m})
-`)}else{if(c===null)throw new Error("passphrase is required when not using Keychain");let f=await fi(m,p,c,e.output,t),g=pn(m,l,t);process.stderr.write(`Public key:  ${g}
-`),process.stderr.write(`Private key: ${f} (JWE, AES-256-GCM, PBKDF2-SHA512 x${Ie.toLocaleString()})
-`),t.isMacOS()||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
-`)}let d=Ne(j().keysDir,`${m}${$e}`);t.mkdirSync(Le(d),{recursive:!0}),t.writeFileSync(d,JSON.stringify({email:a}));let u=zt(process.stderr);process.stderr.write(`
-Signing identity (kid): ${u.green(m)}
-`),process.stderr.write(`Expires: ${s} (${i} month${i===1?"":"s"} from today)
-`),process.stderr.write(Wt({kid:m,publicKeyPem:l,email:a,expires:s},u,n)),process.stderr.write(`
-${u.bold("Next:")} open a PR against the ${u.magenta("infrastructure")} repo with that block, then \`${u.cyan(`cognite sign -s ${m}`)}\`
-`)}o(yi,"handleGenerate");var mn=1e3,hi=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function wi(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:hi.has(t)?[t,n]:[t,"[REDACTED]"]))}o(wi,"sanitize");function Ci(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o(Ci,"getCommandPath");function dn(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(dn,"tryLoadAppConfig");function Ke(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(Ke,"commandFromArgv");function un(e,t,n=C){e.hook("postAction",async(r,i)=>{try{let s={command:Ci(i),options:wi(i.opts()),success:!0,...dn(n)};t.track("Flows.CLI.Command",s),await t.flush(mn)}catch{}})}o(un,"instrument");async function gn(e,t,n=C){try{let r={command:Ke(t),options:{},success:!1,...dn(n)};e.track("Flows.CLI.Command",r),await e.flush(mn)}catch{}}o(gn,"trackFailure");var Ei="ERR_USE_AFTER_CLOSE";function yn(e){return e instanceof Error&&"code"in e&&e.code===Ei}o(yn,"isReadlineClosedError");function Si(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(Si,"isPlainObject");function je(e){return e==null||yn(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&Si(e)&&Object.keys(e).length===0)}o(je,"isPromptCancel");var fn=!1;function hn(){fn||(fn=!0,process.on("uncaughtException",e=>{yn(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{je(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(hn,"installCancelHandler");import{homedir as Ai}from"os";import wn from"mixpanel";var vi="5c4d853e7c3b77b1eb4468d5329b278c",Q="cognite-cli",xi=2e3,Cn={env:process.env,init:wn.init.bind(wn)},Pi={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function Me(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(Me,"isTelemetryDisabled");function bi(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(bi,"isDebug");function En(e={}){let t=e.env??Cn.env,n=e.init??Cn.init,r=e.packageName,i=e.cliVersion,s=bi(t);if(Me(t))return s&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
-`),Pi;let a,c=new Set;function p(){if(a)return a;try{return a=n(vi,{geolocate:!1,keepAlive:!1}),a}catch{return}}return o(p,"getClient"),{track(l,m={}){let d=p();if(!d)return;let u={...m,applicationId:Q,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};s&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(u)}
-`);let f=o(()=>{},"finish"),g=new Promise(b=>{f=b});c.add(g);try{d.track(l,u,f)}catch{f()}g.finally(()=>c.delete(g))},async flush(l=xi){if(c.size===0)return;let m,d=new Promise(u=>{m=setTimeout(u,l),m.unref?.()});try{await Promise.race([Promise.allSettled([...c]),d])}finally{m&&clearTimeout(m)}s&&process.stderr.write(`[telemetry] flush done (${c.size} still pending)
-`)}}}o(En,"createTelemetry");var ae=Ai();function Sn(e,t=ae){if(!t||t==="/")return e;let n=e.replaceAll(t,"~"),r=t.replaceAll("\\","/");return r!==t&&(n=n.replaceAll(r,"~")),n}o(Sn,"redactHomedir");var ki=1e3,Di="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",Ii={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function Ti(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(Ti,"buildRelease");var $i="192.0.2.0";function Fi(e){let t={...e.user,email:void 0,username:void 0,ip_address:$i,id:void 0},n=e.exception?.values?.map(r=>({...r,value:r.value!==void 0?Sn(r.value):r.value}));return{...e,message:e.message!==void 0?Sn(e.message):e.message,user:t,server_name:void 0,...n!==void 0&&{exception:{...e.exception,values:n}}}}o(Fi,"scrubPii");function vn(e={}){let t=e.env??process.env;if(Me(t))return Ii;let n=Ti(e),r="production",i=null,s=null;function a(p){let l=ae&&ae!=="/"?[p.rewriteFramesIntegration({root:ae})]:[];return{dsn:Di,release:n,environment:r,defaultIntegrations:!1,integrations:l,sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:Q},contexts:{cli:{applicationId:Q,node:process.version,platform:process.platform}}},beforeSend:Fi}}o(a,"buildInitOptions");async function c(){return i||(s||(s=(async()=>{try{let p=e.sdk??await import("@sentry/node");return p.init(a(p)),i=p,p}catch{return null}})()),s)}return o(c,"ensureSdk"),{async captureError(p,l){try{let m=await c();if(!m)return;let d={level:"fatal"};l?.command&&(d.tags={command:l.command},d.contexts={cli:{applicationId:Q,node:process.version,platform:process.platform,command:l.command}}),m.captureException(p,d)}catch{}},async flush(p=ki){try{if(!i)return;await i.flush(p)}catch{}}}}o(vn,"createErrorReporter");import{mkdirSync as Oi,readFileSync as Ri,writeFileSync as _i}from"fs";import{homedir as Ui}from"os";import{resolve as ce}from"path";import{debuglog as Li}from"util";import{lt as Ni,parse as xn}from"semver";var Ki="https://registry.npmjs.org/@cognite/cli/latest",ji=1500,Pn="upgrade-check.json",bn=ce(process.env.XDG_CACHE_HOME||ce(Ui(),".cache"),"@cognite","cli"),Ve=Li("cognite-flows");function Mi(e,t){return!e||!t||!xn(e)||!xn(t)?!1:Ni(e,t)}o(Mi,"isOutdated");async function Vi({timeout:e=ji,registryUrl:t=Ki,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return Ve("fetchLatestVersion failed (%s): %O",t,r),null}}o(Vi,"fetchLatestVersion");function Hi(e=bn,t=864e5){try{let n=Ri(ce(e,Pn),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return Ve("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(Hi,"readUpgradeCheckCache");function Gi(e,t){try{Oi(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};_i(ce(e,Pn),JSON.stringify(n))}catch(n){Ve("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(Gi,"writeUpgradeCheckCache");async function Bi({cacheDir:e=bn,...t}={}){let n=await Vi(t);n&&Gi(e,n)}o(Bi,"startBackgroundUpgradeCheck");function An(e,{onOutdated:t,cacheDir:n,...r}={}){let i=Hi(n);if(i){Mi(e,i.latest)&&t?.(e,i.latest);return}Bi({cacheDir:n,...r})}o(An,"preActionUpgradeCheck");import{default as jl,chalkStderr as kn}from"chalk";function Dn(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(c=>[...c].length))+2,i="\u2500".repeat(r),s=o(c=>`\u2502 ${c}${" ".repeat(r-1-[...c].length)}\u2502`,"pad"),a=[`\u250C${i}\u2510`,...n.map(s),`\u2514${i}\u2518`].join(`
-`);return kn.bold.yellow(a)}o(Dn,"formatUpgradeWarning");function Xi(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(Xi,"isDep0040Warning");var Ge=process,zi=Ge.emit.bind(Ge);Ge.emit=function(e,...t){return e==="warning"&&Xi(t[0])?!1:zi(e,...t)};hn();var G=new Ji;G.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.2.0").showHelpAfterError().configureOutput({writeOut:o(e=>Yi(1,e),"writeOut")});G.hook("preAction",()=>{An("1.2.0",{onOutdated:o((e,t)=>{console.warn(`
-${Dn(e,t)}
-`)},"onOutdated")})});_t(G);ln(G);var Tn=En({packageName:"@cognite/cli",cliVersion:"1.2.0"}),In=vn({packageName:"@cognite/cli",cliVersion:"1.2.0"});un(G,Tn);var He=process.argv.slice(2);G.parseAsync(He,{from:"user"}).catch(async e=>{await gn(Tn,He),je(e)&&(console.error(`
-Cancelled.`),process.exit(130)),await In.captureError(e,{command:Ke(He)}),await In.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});
+`);let{privateKeyPem:f,publicKeyPem:j}=await p(y);if(g){await c(y,f);let z=vn(y,j,t);process.stderr.write(`Public key:  ${z}
+`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${y})
+`)}else{if(x===null)throw new Error("passphrase is required when not using Keychain");let z=await Ai(y,f,x,e.output,t,{force:A}),We=vn(y,j,t);process.stderr.write(`Public key:  ${We}
+`),process.stderr.write(`Private key: ${z} (JWE, AES-256-GCM, PBKDF2-SHA512 x${_e.toLocaleString()})
+`),r()||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
+`)}let ie=ge(N().keysDir,`${y}${Le}`);a(He(ie),{recursive:!0}),s(ie,JSON.stringify({email:P}));let K=nn(process.stderr);process.stderr.write(`
+Signing identity (kid): ${K.green(y)}
+`),process.stderr.write(`Expires: ${S} (${E} month${E===1?"":"s"} from today)
+`),process.stderr.write(rn({kid:y,publicKeyPem:j,email:P,expires:S},K,n)),process.stderr.write(`
+${K.bold("Next:")} open a PR against the ${K.magenta("infrastructure")} repo with that block, then \`${K.cyan(`cognite sign -s ${y}`)}\`
+`)}o(ki,"handleGenerate");var Sn=1e3,Di=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function Ii(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:Di.has(t)?[t,n]:[t,"[REDACTED]"]))}o(Ii,"sanitize");function $i(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o($i,"getCommandPath");function Pn(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(Pn,"tryLoadAppConfig");function Ge(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(Ge,"commandFromArgv");function xn(e,t,n=w){e.hook("postAction",async(r,i)=>{try{let a={command:$i(i),options:Ii(i.opts()),success:!0,...Pn(n)};t.track("Flows.CLI.Command",a),await t.flush(Sn)}catch{}})}o(xn,"instrument");async function bn(e,t,n=w){try{let r={command:Ge(t),options:{},success:!1,...Pn(n)};e.track("Flows.CLI.Command",r),await e.flush(Sn)}catch{}}o(bn,"trackFailure");var Ti="ERR_USE_AFTER_CLOSE";function kn(e){return e instanceof Error&&"code"in e&&e.code===Ti}o(kn,"isReadlineClosedError");function Fi(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(Fi,"isPlainObject");function Be(e){return e==null||kn(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&Fi(e)&&Object.keys(e).length===0)}o(Be,"isPromptCancel");var An=!1;function Dn(){An||(An=!0,process.on("uncaughtException",e=>{kn(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{Be(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(Dn,"installCancelHandler");import{homedir as Li}from"os";import In from"mixpanel";var Oi="5c4d853e7c3b77b1eb4468d5329b278c",re="cognite-cli",Ri=2e3,$n={env:process.env,init:In.init.bind(In)},_i={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function Ye(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(Ye,"isTelemetryDisabled");function Ui(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(Ui,"isDebug");function Tn(e={}){let t=e.env??$n.env,n=e.init??$n.init,r=e.packageName,i=e.cliVersion,a=Ui(t);if(Ye(t))return a&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
+`),_i;let s,p=new Set;function c(){if(s)return s;try{return s=n(Oi,{geolocate:!1,keepAlive:!1}),s}catch{return}}return o(c,"getClient"),{track(l,m={}){let d=c();if(!d)return;let u={...m,applicationId:re,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};a&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(u)}
+`);let C=o(()=>{},"finish"),g=new Promise(E=>{C=E});p.add(g);try{d.track(l,u,C)}catch{C()}g.finally(()=>p.delete(g))},async flush(l=Ri){if(p.size===0)return;let m,d=new Promise(u=>{m=setTimeout(u,l),m.unref?.()});try{await Promise.race([Promise.allSettled([...p]),d])}finally{m&&clearTimeout(m)}a&&process.stderr.write(`[telemetry] flush done (${p.size} still pending)
+`)}}}o(Tn,"createTelemetry");var Ni=Li();function oe(e,t=Ni){if(!t||t==="/")return e;let n=e.replaceAll(t,"~"),r=t.replaceAll("\\","/");return r!==t&&(n=n.replaceAll(r,"~")),n=n.replace(/(?<![A-Za-z0-9_])[A-Za-z]:[/\\]Users[/\\][^\s/\\]+(?=[/\\]|$)/g,"~"),n=n.replace(/(?<![A-Za-z0-9_])\/(?:Users|home)\/[^\s/]+(?=[/\\]|$)/g,"~"),n}o(oe,"redactHomedir");var ji=1e3,Ki="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",Mi={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function Vi(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(Vi,"buildRelease");var Hi="192.0.2.0";function Gi(e){return e?.map(t=>({...t,...t.filename!==void 0&&{filename:oe(t.filename)},...t.abs_path!==void 0&&{abs_path:oe(t.abs_path)},...t.module!==void 0&&{module:oe(t.module)}}))}o(Gi,"scrubStackFrames");function Bi(e){let t={...e.user,email:void 0,username:void 0,ip_address:Hi,id:void 0},n=e.exception?.values?.map(r=>({...r,value:r.value!==void 0?oe(r.value):r.value,...r.stacktrace!==void 0&&{stacktrace:{...r.stacktrace,frames:Gi(r.stacktrace.frames)}}}));return{...e,message:e.message!==void 0?oe(e.message):e.message,user:t,server_name:void 0,...n!==void 0&&{exception:{...e.exception,values:n}}}}o(Bi,"scrubPii");function Fn(e={}){let t=e.env??process.env;if(Ye(t))return Mi;let n=Vi(e),r="production",i=null,a=null;function s(){return{dsn:Ki,release:n,environment:r,defaultIntegrations:!1,integrations:[],sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:re},contexts:{cli:{applicationId:re,node:process.version,platform:process.platform}}},beforeSend:Bi}}o(s,"buildInitOptions");async function p(){return i||(a||(a=(async()=>{try{let c=e.sdk??await import("@sentry/node");return c.init(s()),i=c,c}catch{return null}})()),a)}return o(p,"ensureSdk"),{async captureError(c,l){try{let m=await p();if(!m)return;let d={level:"fatal"};l?.command&&(d.tags={command:l.command},d.contexts={cli:{applicationId:re,node:process.version,platform:process.platform,command:l.command}}),m.captureException(c,d)}catch{}},async flush(c=ji){try{if(!i)return;await i.flush(c)}catch{}}}}o(Fn,"createErrorReporter");import{mkdirSync as Yi,readFileSync as Ji,writeFileSync as zi}from"fs";import{homedir as Xi}from"os";import{resolve as fe}from"path";import{debuglog as Wi}from"util";import{lt as qi,parse as On}from"semver";var Qi="https://registry.npmjs.org/@cognite/cli/latest",Zi=1500,Rn="upgrade-check.json",_n=fe(process.env.XDG_CACHE_HOME||fe(Xi(),".cache"),"@cognite","cli"),Je=Wi("cognite-flows");function es(e,t){return!e||!t||!On(e)||!On(t)?!1:qi(e,t)}o(es,"isOutdated");async function ts({timeout:e=Zi,registryUrl:t=Qi,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return Je("fetchLatestVersion failed (%s): %O",t,r),null}}o(ts,"fetchLatestVersion");function ns(e=_n,t=864e5){try{let n=Ji(fe(e,Rn),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return Je("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(ns,"readUpgradeCheckCache");function rs(e,t){try{Yi(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};zi(fe(e,Rn),JSON.stringify(n))}catch(n){Je("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(rs,"writeUpgradeCheckCache");async function os({cacheDir:e=_n,...t}={}){let n=await ts(t);n&&rs(e,n)}o(os,"startBackgroundUpgradeCheck");function Un(e,{onOutdated:t,cacheDir:n,...r}={}){let i=ns(n);if(i){es(e,i.latest)&&t?.(e,i.latest);return}os({cacheDir:n,...r})}o(Un,"preActionUpgradeCheck");import{default as im,chalkStderr as Ln}from"chalk";function Nn(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(p=>[...p].length))+2,i="\u2500".repeat(r),a=o(p=>`\u2502 ${p}${" ".repeat(r-1-[...p].length)}\u2502`,"pad"),s=[`\u250C${i}\u2510`,...n.map(a),`\u2514${i}\u2518`].join(`
+`);return Ln.bold.yellow(s)}o(Nn,"formatUpgradeWarning");function as(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(as,"isDep0040Warning");var Xe=process,ps=Xe.emit.bind(Xe);Xe.emit=function(e,...t){return e==="warning"&&as(t[0])?!1:ps(e,...t)};Dn();var J=new ss;J.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.3.1").showHelpAfterError().configureOutput({writeOut:o(e=>is(1,e),"writeOut")});J.hook("preAction",()=>{Un("1.3.1",{onOutdated:o((e,t)=>{console.warn(`
+${Nn(e,t)}
+`)},"onOutdated")})});Ht(J);En(J);var Kn=Tn({packageName:"@cognite/cli",cliVersion:"1.3.1"}),jn=Fn({packageName:"@cognite/cli",cliVersion:"1.3.1"});xn(J,Kn);var ze=process.argv.slice(2);J.parseAsync(ze,{from:"user"}).catch(async e=>{await bn(Kn,ze),Be(e)&&(console.error(`
+Cancelled.`),process.exit(130)),await jn.captureError(e,{command:Ge(ze)}),await jn.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});

package/dist/deploy/index.d.ts

@@ -60,6 +60,9 @@ declare class AppHostingClient {
     publishVersion(appExternalId: string, version: string): Promise<void>;
     /** Publish the version and immediately set it as the ACTIVE alias. */
     publishAndActivate(appExternalId: string, version: string): Promise<void>;
+    getActiveVersion(appExternalId: string): Promise<AppVersion | null>;
+    /** Remove the ACTIVE alias from a version, taking it out of service without changing its lifecycle state. */
+    deactivateVersion(appExternalId: string, version: string): Promise<void>;
     /**
      * Set the ACTIVE alias on a version. Returns the version that was
      * previously active (if any) so callers can surface "Superseded X"

package/dist/deploy/index.js

@@ -1 +1 @@
-import{a,b,c,d,e}from"../chunk-PT2DTNGD.js";export{a as AppHostingClient,b as ApplicationPackager,e as deploy,d as getSdk,c as getToken};
+import{a,b,c,d,e}from"../chunk-QOJVLP7E.js";export{a as AppHostingClient,b as ApplicationPackager,e as deploy,d as getSdk,c as getToken};

package/dist/index.js

@@ -1 +1 @@
-import{a as o,b as r,c as e,d as f,e as m}from"./chunk-PT2DTNGD.js";export{o as AppHostingClient,r as ApplicationPackager,m as deploy,f as getSdk,e as getToken};
+import{a as o,b as r,c as e,d as f,e as m}from"./chunk-QOJVLP7E.js";export{o as AppHostingClient,r as ApplicationPackager,m as deploy,f as getSdk,e as getToken};

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@cognite/cli",
-  "version": "1.2.0",
+  "version": "1.3.1",
   "description": "CLI for Cognite Data Fusion",
-  "license": "Apache-2.0",
+  "license": "SEE LICENSE IN LICENSE.md",
   "author": "Cognite",
   "repository": {
     "type": "git",
@@ -44,7 +44,7 @@
     "refresh-spec-kit": "bash scripts/refresh-spec-kit.sh"
   },
   "dependencies": {
-    "@cognite/app-sdk": "^0.4.0",
+    "@cognite/app-sdk": "^0.5.1",
     "@cognite/sdk": "^10.10.0",
     "@sentry/node": "^10.51.0",
     "@zip.js/zip.js": "^2.7.0",